diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index b8f12ac6be..be3740374a 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -7,6 +7,8 @@ concurrency: ${{ github.workflow }}-${{ github.ref }} jobs: release: name: Tests + permissions: + contents: read runs-on: ubuntu-22.04 steps: - name: Checkout Repo diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 284a669269..5ba49c811b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,6 @@ jobs: uses: actions/setup-node@v3 with: node-version: lts/* - cache: 'yarn' - name: Install Dependencies run: yarn install --frozen-lockfile diff --git a/.github/workflows/style-check.yml b/.github/workflows/style-check.yml index 5b6eb5e0c5..4dfb4340e2 100644 --- a/.github/workflows/style-check.yml +++ b/.github/workflows/style-check.yml @@ -5,6 +5,8 @@ on: [push, pull_request_target] jobs: eslint_check_upload: runs-on: ubuntu-latest + permissions: + contents: read name: ESLint Check and Report Upload steps: @@ -36,6 +38,8 @@ jobs: annotation: # Skip the annotation action in push events if: github.event_name == 'pull_request_target' + permissions: + checks: write needs: eslint_check_upload runs-on: ubuntu-latest name: ESLint Annotation @@ -52,6 +56,8 @@ jobs: prettier_check: # In the forked PR, it's hard to format code and push to the branch directly, so the action only check the format correctness. if: github.event_name != 'push' && github.event.pull_request.head.repo.full_name != 'rrweb-io/rrweb' + permissions: + contents: read runs-on: ubuntu-latest name: Format Check steps: @@ -73,6 +79,8 @@ jobs: # Skip the format code action in forked PRs if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'rrweb-io/rrweb' runs-on: ubuntu-latest + permissions: + contents: write name: Format Code steps: - uses: actions/checkout@v3