diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners-v2.yml similarity index 73% rename from .github/workflows/codeowners.yml rename to .github/workflows/codeowners-v2.yml index 9d781c6ef080e..23720e25e5260 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners-v2.yml @@ -1,17 +1,32 @@ -name: Codeowners +name: Codeowners v2 -# This workflow depends on a GitHub App with the following permissions: -# - Repository > Administration: read-only -# - Organization > Members: read-only -# - Repository > Pull Requests: read-write -# The App needs to be installed on this repository -# the OWNER_APP_ID repository variable needs to be set -# the OWNER_APP_PRIVATE_KEY repository secret needs to be set +# This workflow depends on two GitHub Apps with the following permissions: +# - For checking code owners: +# - Permissions: +# - Repository > Administration: read-only +# - Organization > Members: read-only +# - Install App on this repository, setting these variables: +# - OWNER_RO_APP_ID (variable) +# - OWNER_RO_APP_PRIVATE_KEY (secret) +# - For requesting code owners: +# - Permissions: +# - Repository > Administration: read-only +# - Organization > Members: read-only +# - Repository > Pull Requests: read-write +# - Install App on this repository, setting these variables: +# - OWNER_APP_ID (variable) +# - OWNER_APP_PRIVATE_KEY (secret) +# +# This split is done because checking code owners requires handling untrusted PR input, +# while requesting code owners requires PR write access, and those shouldn't be mixed. on: pull_request_target: types: [opened, ready_for_review, synchronize, reopened, edited] +# We don't need any default GitHub token +permissions: {} + env: OWNERS_FILE: ci/OWNERS # Don't do anything on draft PRs @@ -45,8 +60,8 @@ jobs: - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 id: app-token with: - app-id: ${{ vars.OWNER_APP_ID }} - private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + app-id: ${{ vars.OWNER_RO_APP_ID }} + private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig-v2.yml similarity index 95% rename from .github/workflows/editorconfig.yml rename to .github/workflows/editorconfig-v2.yml index b4ef16a734b7a..9bae2c32774d7 100644 --- a/.github/workflows/editorconfig.yml +++ b/.github/workflows/editorconfig-v2.yml @@ -1,6 +1,8 @@ -name: "Checking EditorConfig" +name: "Checking EditorConfig v2" -permissions: read-all +permissions: + pull-requests: read + contents: read on: # avoids approving first time contributors diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos-v2.yml similarity index 94% rename from .github/workflows/manual-nixos.yml rename to .github/workflows/manual-nixos-v2.yml index 2ae4d929c12d9..26a6279dcf221 100644 --- a/.github/workflows/manual-nixos.yml +++ b/.github/workflows/manual-nixos-v2.yml @@ -1,6 +1,7 @@ -name: "Build NixOS manual" +name: "Build NixOS manual v2" -permissions: read-all +permissions: + contents: read on: pull_request_target: diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs-v2.yml similarity index 94% rename from .github/workflows/manual-nixpkgs.yml rename to .github/workflows/manual-nixpkgs-v2.yml index 676a554107d59..f51c1c5ef9def 100644 --- a/.github/workflows/manual-nixpkgs.yml +++ b/.github/workflows/manual-nixpkgs-v2.yml @@ -1,6 +1,7 @@ -name: "Build Nixpkgs manual" +name: "Build Nixpkgs manual v2" -permissions: read-all +permissions: + contents: read on: pull_request_target: diff --git a/.github/workflows/nix-parse.yml b/.github/workflows/nix-parse-v2.yml similarity index 93% rename from .github/workflows/nix-parse.yml rename to .github/workflows/nix-parse-v2.yml index 352cb81d87ed5..03f6af1b876b3 100644 --- a/.github/workflows/nix-parse.yml +++ b/.github/workflows/nix-parse-v2.yml @@ -1,6 +1,8 @@ -name: "Check whether nix files are parseable" +name: "Check whether nix files are parseable v2" -permissions: read-all +permissions: + pull-requests: read + contents: read on: # avoids approving first time contributors