fix(workflows): assign explicit permissions (#13241)

caugner · web-flow · commit 3d5676e7f8a9 · 2025-07-01T18:00:08.000+02:00
* ci(workflows): assign explicit permissions

* chore(workflows): remove ripgrep notes
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+# No GITHUB_TOKEN permissions, as we use AUTOMERGE_TOKEN instead.
+permissions: {}
+
 jobs:
   auto-merge:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
@@ -115,7 +115,6 @@ jobs:
       - name: Install all yarn packages
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Python
diff --git a/.github/workflows/developing.yml b/.github/workflows/developing.yml
@@ -3,6 +3,9 @@ name: Developing with Yari
 on:
   pull_request:
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -20,7 +23,6 @@ jobs:
       - name: Install all yarn packages
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup kernel for react native, increase watchers
diff --git a/.github/workflows/glean-probe-scraper.yml b/.github/workflows/glean-probe-scraper.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+# No GITHUB_TOKEN permissions, as we don't use it.
+permissions: {}
+
 jobs:
   glean-probe-scraper:
     if: github.repository == 'mdn/yari'
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -2,6 +2,10 @@ name: "Pull Request Labeler"
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mark-as-idle-issues-pr.yml b/.github/workflows/mark-as-idle-issues-pr.yml
@@ -3,6 +3,12 @@ on:
   schedule:
     - cron: "49 11,23 * * *"
 
+permissions:
+  # Label issues.
+  issues: write
+  # Label pull requests.
+  pull-requests: write
+
 jobs:
   idle-issues-prs:
     uses: mdn/workflows/.github/workflows/idle.yml@main
diff --git a/.github/workflows/new-issues.yml b/.github/workflows/new-issues.yml
@@ -5,6 +5,10 @@ on:
       - reopened
       - opened
 
+permissions:
+  # Label issues.
+  issues: write
+
 jobs:
   label-new-issues:
     uses: mdn/workflows/.github/workflows/new-issues.yml@main
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -34,7 +34,6 @@ jobs:
         if: steps.release.outputs.release_created
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
diff --git a/.github/workflows/npm-published-simulation.yml b/.github/workflows/npm-published-simulation.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -29,7 +32,6 @@ jobs:
         working-directory: mdn/yari
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup kernel for react native, increase watchers
diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
@@ -8,6 +8,9 @@ on:
       - package.json
       - yarn.lock
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   lighthouse:
     runs-on: ubuntu-latest
@@ -38,7 +41,6 @@ jobs:
         working-directory: mdn/yari
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build select important pages
diff --git a/.github/workflows/pr-bundlesize-compare.yml b/.github/workflows/pr-bundlesize-compare.yml
@@ -3,6 +3,9 @@ name: Compare bundle size
 on:
   pull_request:
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   # Build current and upload stats.json
   build-head:
@@ -25,7 +28,6 @@ jobs:
       - name: Install all yarn packages
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
@@ -60,7 +62,6 @@ jobs:
       - name: Install all yarn packages
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
diff --git a/.github/workflows/pr-commit-signatures.yml b/.github/workflows/pr-commit-signatures.yml
@@ -3,6 +3,9 @@ name: "Commit signatures"
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-deployer.yml b/.github/workflows/pr-deployer.yml
@@ -6,6 +6,9 @@ on:
       - deployer/**
       - .github/workflows/pr-deployer.yml
 
+# No GITHUB_TOKEN permissions, as we don't use it.
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-docs.yml b/.github/workflows/pr-docs.yml
@@ -6,6 +6,10 @@ on:
       - docs/**/*.md
       - README.md
       - .github/workflows/pr-docs.yml
+
+# No GITHUB_TOKEN permissions, as we don't use it.
+permissions: {}
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-kumascript.yml b/.github/workflows/pr-kumascript.yml
@@ -18,6 +18,9 @@ on:
       - package.json
       - yarn.lock
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -34,7 +37,6 @@ jobs:
       - name: Install all yarn packages
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Unit testing kumascript
diff --git a/.github/workflows/pr-rebase-needed.yml b/.github/workflows/pr-rebase-needed.yml
@@ -5,6 +5,10 @@ on:
   pull_request_target:
     types: [synchronize]
 
+permissions:
+  # Label pull requests.
+  pull-requests: write
+
 jobs:
   label-rebase-needed:
     uses: mdn/workflows/.github/workflows/pr-rebase-needed.yml@main
diff --git a/.github/workflows/prod-build.yml b/.github/workflows/prod-build.yml
@@ -156,8 +156,7 @@ jobs:
         if: ${{ ! vars.SKIP_BUILD }}
         run: yarn --frozen-lockfile
         env:
-          # Use a GITHUB_TOKEN to bypass rate limiting for ripgrep and rari.
-          # See https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
+          # Use a GITHUB_TOKEN to bypass rate limiting for rari.
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Python
diff --git a/.github/workflows/stage-build.yml b/.github/workflows/stage-build.yml
@@ -179,8 +179,7 @@ jobs:
         if: ${{ ! vars.SKIP_BUILD }}
         run: yarn --frozen-lockfile
         env:
-          # Use a GITHUB_TOKEN to bypass rate limiting for ripgrep and rari.
-          # See https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
+          # Use a GITHUB_TOKEN to bypass rate limiting for rari.
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Python
diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml
@@ -139,8 +139,7 @@ jobs:
         if: ${{ ! vars.SKIP_BUILD }}
         run: yarn --frozen-lockfile
         env:
-          # Use a GITHUB_TOKEN to bypass rate limiting for ripgrep and rari.
-          # See https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
+          # Use a GITHUB_TOKEN to bypass rate limiting for rari.
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: actions/checkout@v4
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -29,7 +29,6 @@ jobs:
       - name: Install all yarn packages (ROOT)
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install all yarn packages (pwa)
@@ -63,7 +62,6 @@ jobs:
       - name: Install all yarn packages
         run: yarn --frozen-lockfile
         env:
-          # https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Unit testing client
