Specify default permissions, other security for "Update Label Directory" & "Flag Issues Unlabeled..." workflows (#8595)

t-will-gillis · web-flow · commit 99590c6a826d · 2026-04-06T08:44:38.000-07:00
* add default permissions, replace hard-coded url with secret

* Clarify comments about Google Apps Script URL

Updated comments for clarity regarding Google Apps Script URL.

* Add permissions to flag issues unlabeled after deletion

Add permissions for reading contents in workflow
diff --git a/.github/workflows/flag-issues-unlabeled-after-deletion.yml b/.github/workflows/flag-issues-unlabeled-after-deletion.yml
@@ -14,6 +14,9 @@ on:
       HACKFORLA_BOT_PA_TOKEN:
         required: true
 
+permissions:
+  contents: read
+  
 jobs:
   Flag-Issues-Unlabeled-After-Deletion:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-label-directory.yml b/.github/workflows/update-label-directory.yml
@@ -7,6 +7,9 @@ on:
   label:
     types: [edited, created, deleted]
 
+permissions:
+    contents: read
+
 jobs:
   # Check if the deleted label was in use. If so, flag the deletion and affected issues
   Flag-Issues-Unlabeled-After-Deletion:
@@ -35,14 +38,14 @@ jobs:
             const labelPacket = script({g: github, c: context})
             return labelPacket
 
-      # NOTE: the the URL below matches the **current deployment URL** of the Apps Script
-      # associated with the 'Source of Truth'Label spreadsheet and maintained by
-      # `hackforla-bot@hackforla.org`. (If something is broken, check this link first)
+      # NOTE: the secret below references the **current deployment URL** of the Google
+      # Apps Script associated with the 'Source of Truth'Label spreadsheet and maintained
+      # by `hackforla-bot@hackforla.org`. (If something is broken, check this link first)
       - name: Send POST request to Google Apps Script
         env:
           label_edits: ${{ steps.update-label-directory.outputs.result }}
         run: |
-          curl -X POST "https://script.google.com/macros/s/AKfycbw_kmDVqQW5J8wXWl1BXvJzALU6k0XYpAc5XJ7inQSyq8_opUuNg4ToBzh3Gf4M5jhw/exec" \
+          curl -X POST "${{ secrets.GOOGLE_APPS_UPDATE_LABEL_DIRECTORY_URL }}" \
           -H "Content-Type: application/json" \
           -d "$label_edits"
 
