diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a5b3018be..e28e7bd62 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,8 @@ jobs: matrix: platform: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.platform }} + permissions: + contents: read steps: - uses: actions/checkout@v3 @@ -38,6 +40,8 @@ jobs: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} check-docs: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 @@ -69,9 +73,8 @@ jobs: # disabled on forks if: github.event_name == 'push' && github.repository == 'MarkBind/markbind' runs-on: ubuntu-latest - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - + permissions: + contents: read steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 diff --git a/.github/workflows/pr-merge.yml b/.github/workflows/pr-merge.yml index 8e5a27ce3..b5d601730 100644 --- a/.github/workflows/pr-merge.yml +++ b/.github/workflows/pr-merge.yml @@ -12,6 +12,12 @@ jobs: check-pr-label: if: ${{ github.event.pull_request.merged }} runs-on: ubuntu-latest + permissions: + contents: read + outputs: + num_labels_chosen: ${{ steps.check_pr_description_label.outputs.num_labels_chosen }} + message: ${{ steps.check_pr_description_label.outputs.message }} + chosen_label: ${{ steps.check_pr_description_label.outputs.chosen_label }} steps: - uses: actions/checkout@v3 - name: Check for PR description label @@ -24,13 +30,13 @@ jobs: is_minor=$(echo "$proposed_version_impact" | grep -qi '\[X\] Minor'; echo $((1-$?))) is_patch=$(echo "$proposed_version_impact" | grep -qi '\[X\] Patch'; echo $((1-$?))) num_labels_chosen=$(($is_major + $is_minor + $is_patch)) - echo "num_labels_chosen=$num_labels_chosen" >> $GITHUB_OUTPUT + echo "num_labels_chosen=$num_labels_chosen" >> "$GITHUB_OUTPUT" if [[ "$num_labels_chosen" -eq 0 ]]; then - echo "message=$(echo "@${MERGE_AUTHOR} Each PR must have a SEMVER impact label, please remember to label the PR properly.")" >> $GITHUB_OUTPUT + echo "message=$(echo "@${MERGE_AUTHOR} Each PR must have a SEMVER impact label, please remember to label the PR properly.")" >> "$GITHUB_OUTPUT" elif [[ "$num_labels_chosen" -ge 2 ]]; then - echo "message=$(echo "@${MERGE_AUTHOR} Each PR can only have one SEMVER impact label, please remember to label the PR properly.")" >> $GITHUB_OUTPUT + echo "message=$(echo "@${MERGE_AUTHOR} Each PR can only have one SEMVER impact label, please remember to label the PR properly.")" >> "$GITHUB_OUTPUT" else - echo "message=$(echo "SEMVER impact selected.")" >> $GITHUB_OUTPUT + echo "message=$(echo "SEMVER impact selected.")" >> "$GITHUB_OUTPUT" echo "chosen_label=$( if [ "$is_major" -eq 1 ]; then echo "r.Major" @@ -39,31 +45,39 @@ jobs: elif [ "$is_patch" -eq 1 ]; then echo "r.Patch" fi - )" >> $GITHUB_OUTPUT + )" >> "$GITHUB_OUTPUT" fi env: TEXT_BODY: ${{ github.event.pull_request.body }} MERGE_AUTHOR: ${{ github.event.sender.login }} - - name: Assign label based on version impact - uses: actions/github-script@v7 + + assign-label-or-reminder: + if: ${{ github.event.pull_request.merged }} + runs-on: ubuntu-latest + needs: check-pr-label + permissions: + pull-requests: write + steps: + - uses: actions/github-script@v7 with: - script: | - if (process.env.NUM_LABELS_CHOSEN != 1) { - github.rest.issues.createComment({ + script: | + if (process.env.NUM_LABELS_CHOSEN != 1) { + github.rest.issues.createComment({ + issue_number: context.payload.pull_request.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: process.env.MESSAGE, + }); + } else { + github.rest.issues.addLabels({ issue_number: context.payload.pull_request.number, owner: context.repo.owner, repo: context.repo.repo, - body: process.env.MESSAGE, - }); - } else { - github.rest.issues.addLabels({ - issue_number: context.payload.pull_request.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: [process.env.CHOSEN_LABEL] - }); - } + labels: [process.env.CHOSEN_LABEL] + }); + } env: - NUM_LABELS_CHOSEN: ${{ steps.check_pr_description_label.outputs.num_labels_chosen }} - MESSAGE: ${{ steps.check_pr_description_label.outputs.message }} - CHOSEN_LABEL: ${{ steps.check_pr_description_label.outputs.chosen_label }} + NUM_LABELS_CHOSEN: ${{ needs.check-pr-label.outputs.num_labels_chosen }} + MESSAGE: ${{ needs.check-pr-label.outputs.message }} + CHOSEN_LABEL: ${{ needs.check-pr-label.outputs.chosen_label }} + diff --git a/.github/workflows/pr-message-reminder.yml b/.github/workflows/pr-message-reminder.yml index 6afa6700c..26556ac83 100644 --- a/.github/workflows/pr-message-reminder.yml +++ b/.github/workflows/pr-message-reminder.yml @@ -20,6 +20,8 @@ jobs: remind-pr-author: if: github.event_name == 'pull_request' runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v3