feat: add actions-permissions advisor to all workflows

gforsyth · gforsyth · commit 92c0e4d808d5 · 2026-05-27T16:48:43.000-04:00
diff --git a/.github/workflows/breaking-change-alert.yaml b/.github/workflows/breaking-change-alert.yaml
@@ -54,6 +54,12 @@ defaults:
     shell: bash
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   notify-breaking-changes:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/build-devcontainer.yaml b/.github/workflows/build-devcontainer.yaml
@@ -53,6 +53,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   build:
     timeout-minutes: ${{ inputs.timeout-minutes }}
     strategy:
diff --git a/.github/workflows/build-devcontainers.yaml b/.github/workflows/build-devcontainers.yaml
@@ -26,6 +26,12 @@ on:
         default: true
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   build:
     uses: ./.github/workflows/build-devcontainer.yaml
     permissions:
diff --git a/.github/workflows/build-in-devcontainer.yaml b/.github/workflows/build-in-devcontainer.yaml
@@ -88,6 +88,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   build:
     timeout-minutes: ${{ inputs.timeout-minutes }}
     strategy:
diff --git a/.github/workflows/changed-files.yaml b/.github/workflows/changed-files.yaml
@@ -51,6 +51,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   changed-files:
     runs-on: ubuntu-latest
     name: "Check changed files"
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -47,6 +47,12 @@ defaults:
     shell: bash
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   other-checks:
     runs-on: ubuntu-latest
     container:
diff --git a/.github/workflows/compute-matrix.yaml b/.github/workflows/compute-matrix.yaml
@@ -39,6 +39,12 @@ on:
       matrix:
         value: ${{ jobs.compute-matrix.outputs.matrix }}
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   compute-matrix:
     runs-on: ubuntu-latest
     env:
diff --git a/.github/workflows/conda-cpp-build.yaml b/.github/workflows/conda-cpp-build.yaml
@@ -81,6 +81,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   compute-matrix:
     uses: ./.github/workflows/compute-matrix.yaml
     with:
diff --git a/.github/workflows/conda-cpp-post-build-checks.yaml b/.github/workflows/conda-cpp-post-build-checks.yaml
@@ -51,6 +51,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   check-symbols:
     runs-on: linux-amd64-cpu4
     container:
diff --git a/.github/workflows/conda-cpp-tests.yaml b/.github/workflows/conda-cpp-tests.yaml
@@ -118,6 +118,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   compute-matrix:
     uses: ./.github/workflows/compute-matrix.yaml
     with:
diff --git a/.github/workflows/conda-python-build.yaml b/.github/workflows/conda-python-build.yaml
@@ -91,6 +91,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   compute-matrix:
     uses: ./.github/workflows/compute-matrix.yaml
     with:
diff --git a/.github/workflows/conda-python-tests.yaml b/.github/workflows/conda-python-tests.yaml
@@ -121,6 +121,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   compute-matrix:
     uses: ./.github/workflows/compute-matrix.yaml
     with:
diff --git a/.github/workflows/conda-upload-packages.yaml b/.github/workflows/conda-upload-packages.yaml
@@ -64,6 +64,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   upload:
     runs-on: linux-amd64-cpu4
     container:
diff --git a/.github/workflows/custom-job.yaml b/.github/workflows/custom-job.yaml
@@ -118,6 +118,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   build:
     strategy:
       fail-fast: false
diff --git a/.github/workflows/permissions-advisor.yaml b/.github/workflows/permissions-advisor.yaml
@@ -0,0 +1,26 @@
+name: Permissions Advisor
+
+permissions:
+  actions: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      name:
+        description: 'The name of the workflow file to analyze'
+        required: true
+        type: string
+      count:
+        description: 'How many last runs to analyze'
+        required: false
+        type: string
+        default: "10"
+
+jobs:
+  advisor:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: GitHubSecurityLab/actions-permissions/advisor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+      with:
+        name: ${{ inputs.name }}
+        count: ${{ fromJSON(inputs.count) }}
diff --git a/.github/workflows/pr-builder.yaml b/.github/workflows/pr-builder.yaml
@@ -10,6 +10,12 @@ on:
         default: '{}'
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   run:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/project-get-item-id.yaml b/.github/workflows/project-get-item-id.yaml
@@ -26,6 +26,12 @@ on:
         value: ${{ jobs.get_items_project_id.outputs.ITEM_PROJECT_ID }}
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   get_items_project_id:
     runs-on: ubuntu-latest
     outputs:
diff --git a/.github/workflows/project-get-set-iteration-field.yaml b/.github/workflows/project-get-set-iteration-field.yaml
@@ -52,6 +52,12 @@ on:
         description: "The iteration option ID"
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   get_set_iteration_option_id:
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/project-get-set-single-select-field.yaml b/.github/workflows/project-get-set-single-select-field.yaml
@@ -63,6 +63,12 @@ on:
         description: "The single_select option ID"
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   get_set_single_select_option_id:
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/project-set-text-date-numeric-field.yaml b/.github/workflows/project-set-text-date-numeric-field.yaml
@@ -47,6 +47,12 @@ on:
         required: true
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   set_text_date_numeric_option_id:
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/project-update-linked-issues.yaml b/.github/workflows/project-update-linked-issues.yaml
@@ -44,6 +44,12 @@ on:
 
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
     synchronize_linked_issues:
       runs-on: ubuntu-latest
       permissions:
diff --git a/.github/workflows/update-latest-branch.yaml b/.github/workflows/update-latest-branch.yaml
@@ -16,6 +16,12 @@ on:
         default: false
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   update-latest-branch:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/wheels-build.yaml b/.github/workflows/wheels-build.yaml
@@ -121,6 +121,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   compute-matrix:
     uses: ./.github/workflows/compute-matrix.yaml
     with:
diff --git a/.github/workflows/wheels-publish.yaml b/.github/workflows/wheels-publish.yaml
@@ -71,6 +71,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   wheel-publish:
     name: wheels publish
     # Use a self-hosted runner to ensure we have sufficient disk space. Using
diff --git a/.github/workflows/wheels-test.yaml b/.github/workflows/wheels-test.yaml
@@ -145,6 +145,12 @@ permissions:
   statuses: none
 
 jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@bf82d13b9b10051d224345ab9184f5ede0a94289 # v1.0
+        with:
+          config: '{ "create_artifact": true, "enabled": true, "debug": false }'
   compute-matrix:
     uses: ./.github/workflows/compute-matrix.yaml
     with:
