Skip to content

chore(ci): add explicit GITHUB_TOKEN permissions to workflows#13525

Merged
ilhan007 merged 3 commits into
mainfrom
chore/workflow-permissions
May 15, 2026
Merged

chore(ci): add explicit GITHUB_TOKEN permissions to workflows#13525
ilhan007 merged 3 commits into
mainfrom
chore/workflow-permissions

Conversation

@ilhan007
Copy link
Copy Markdown
Contributor

@ilhan007 ilhan007 commented May 15, 2026
edited
Loading

Summary

  • Adds explicit permissions blocks to all workflows that will be affected by the upcoming read-only default GITHUB_TOKEN enforcement (May 27, 2026).
  • Each workflow declares the minimum required permissions following the principle of least privilege.
  • Removes the legacy release-downport.yaml workflow, which is superseded by the v1 job in release.yaml.

Permissions applied

Workflow Permission Reason
ci-test.yaml contents: read Read-only CI (checkout, build, test)
ci-test-website.yaml contents: read Read-only CI (checkout, build, typecheck)
lint.yaml contents: read Read-only CI (checkout, lint)
deploy-preview.yaml contents: read Writes use PAT (UI5_WEBCOMP_BOT_GH_TOKEN)
deploy.yaml contents: write Pushes to gh-pages via GITHUB_TOKEN
issue-close.yaml issues: write actions/stale labels/closes issues
issue-comment.yaml issues: write Comments on closed issues
issue-reopen.yaml issues: write Reopens issues on comment
reset-gh-pages.yaml contents: read Force-push uses PAT
reset-preview-deploy.yaml contents: read Netlify deploy + PR comments use PAT

Removed

  • release-downport.yaml — superseded by the v1 job in release.yaml (same flow: conventional-graduate + publish with dist-tag)

Test plan

  • Verify CI workflows (test, website, lint) pass on this PR
  • Confirm no permission errors in workflow runs

ilhan007 added 2 commits May 15, 2026 07:06
@ilhan007
chore(ci): add explicit GITHUB_TOKEN permissions to workflows
4224d58 
Prepare for the upcoming read-only default GITHUB_TOKEN enforcement
by declaring minimum required permissions in all workflows.

- contents: read for CI, lint, and workflows using PATs for writes
- contents: write for deploy (pushes to gh-pages via GITHUB_TOKEN)
- issues: write for issue management workflows
@ilhan007
chore(ci): remove legacy release-downport workflow
13d73b2 
This workflow is superseded by the v1 job in release.yaml which
handles the same flow (conventional-graduate + publish with dist-tag).
@ilhan007 ilhan007 closed this May 15, 2026
@ilhan007 ilhan007 reopened this May 15, 2026
@ilhan007 ilhan007 requested a review from nnaydenow May 15, 2026 07:07
@ilhan007 ilhan007 merged commit b86c0bd into main May 15, 2026
24 of 27 checks passed
@ilhan007 ilhan007 deleted the chore/workflow-permissions branch May 15, 2026 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nnaydenow nnaydenow nnaydenow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ilhan007 @nnaydenow