fix: isolate write permissions and add format check for PRs

iqbalhasandev · iqbalhasandev · commit cff6b285dc82 · 2026-04-12T10:46:57.000+06:00
- Set workflow-level permissions to contents: read (least-privilege for PR runs)
- Split auto-format/commit into a separate job gated to push only, with
  job-level contents: write
- Remove ref: github.head_ref from checkout (broken on push events and fork PRs)
- Add prettier --check step to quality-check job so formatting is validated on PRs
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -17,7 +17,7 @@ on:
     branches: [main, develop]
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   quality-check:
@@ -27,9 +27,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
-        with:
-          ref: ${{ github.head_ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
@@ -40,17 +37,36 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      # Auto-fix formatting on push to main/develop (not on PRs)
-      # Exclude .github/ to avoid workflow permission issues
-      - name: Format code
-        if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
-        run: npx prettier --write . --ignore-path .prettierignore '!.github/**'
+      - name: Check formatting
+        run: npx prettier --check . --ignore-path .prettierignore '!.github/**'
 
       - name: Run ESLint
         run: npm run lint
 
+  auto-format:
+    name: Auto Format
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Format code
+        run: npx prettier --write . --ignore-path .prettierignore '!.github/**'
+
       - name: Commit formatting changes
-        if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
         uses: stefanzweifel/git-auto-commit-action@v7
         with:
           commit_message: 'style: fix code formatting [skip ci]'
