fix: token permisson issues (#4986)

2026-01-06 00:49:42 -06:00 · 2025-05-15 13:59:40 +05:30
parent 59ed10398d
commit a525589186
107 changed files with 188 additions and 189 deletions
--- a/.github/workflows/chromatic.yml
+++ b/.github/workflows/chromatic.yml
@@ -10,6 +10,11 @@ jobs:
  chromatic:
    name: Run Chromatic
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      actions: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -25,7 +25,6 @@ permissions:
  id-token: write
  contents: read
  actions: read
-  checks: write

 jobs:
  build:
--- a/.github/workflows/release-docker-github.yml
+++ b/.github/workflows/release-docker-github.yml
@@ -20,18 +20,15 @@ env:
  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
  TURBO_TEAM: ${{ secrets.TURBO_TEAM }}

-permissions:
-  contents: read
-
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
+      id-token: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
-      id-token: write

    outputs:
      VERSION: ${{ steps.extract_release_tag.outputs.VERSION }}
--- a/.github/workflows/release-helm-chart.yml
+++ b/.github/workflows/release-helm-chart.yml
@@ -4,7 +4,7 @@ on:
  workflow_call:
    inputs:
      VERSION:
-        description: 'The version of the Helm chart to release'
+        description: "The version of the Helm chart to release"
        required: true
        type: string

--- a/.github/workflows/terraform-plan-and-apply.yml
+++ b/.github/workflows/terraform-plan-and-apply.yml
@@ -1,8 +1,8 @@
-name: 'Terraform'
+name: "Terraform"

 on:
  workflow_dispatch:
-# TODO: enable it back when migration is completed.
+  # TODO: enable it back when migration is completed.
  push:
    branches:
      - main
@@ -14,14 +14,13 @@ on:
    paths:
      - "infra/terraform/**"

-permissions:
-  id-token: write
-  contents: write
-  pull-requests: write
-
 jobs:
  terraform:
    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
@@ -83,4 +82,3 @@ jobs:
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: terraform apply .planfile
        working-directory: "infra/terraform"
-