chore(workflows): update permissions across GitHub Actions workflows … (#14919)

…for consistency
2026-04-21 13:37:22 +00:00 · 2025-10-06 17:36:41 +02:00 · 2025-10-06 17:36:41 +02:00 · 93d55d1bc2
commit 93d55d1bc2
parent 843689ee05
19 changed files with 69 additions and 27 deletions
--- a/.github/workflows/cd-deploy-main.yaml
+++ b/.github/workflows/cd-deploy-main.yaml
@ -1,8 +1,13 @@
 name: CD deploy main
+
+permissions:
+  contents: read
+
 on:
  push:
    branches:
      - main
+
 jobs:
  deploy-main:
    timeout-minutes: 3
--- a/.github/workflows/cd-deploy-tag.yaml
+++ b/.github/workflows/cd-deploy-tag.yaml
@ -1,8 +1,13 @@
 name: CD deploy tag
+
+permissions:
+  contents: read
+
 on:
  push:
    tags:
      - 'v*'
+
 jobs:
  deploy-tag:
    timeout-minutes: 3
--- a/.github/workflows/changed-files.yaml
+++ b/.github/workflows/changed-files.yaml
@ -1,4 +1,5 @@
 name: Changed files reusable workflow
+
 on:
  workflow_call:
    inputs:
--- a/.github/workflows/ci-cli.yaml
+++ b/.github/workflows/ci-cli.yaml
@ -1,4 +1,5 @@
 name: CI CLI
+
 on:
  push:
    branches:
--- a/.github/workflows/ci-e2e.yaml
+++ b/.github/workflows/ci-e2e.yaml
@ -1,4 +1,5 @@
 name: CI E2E Playwright Tests
+
 on:
  push:
    branches:
--- a/.github/workflows/ci-emails.yaml
+++ b/.github/workflows/ci-emails.yaml
@ -1,4 +1,8 @@
 name: CI Emails
+
+permissions:
+  contents: read
+
 on:
  push:
    branches:
--- a/.github/workflows/ci-front.yaml
+++ b/.github/workflows/ci-front.yaml
@ -1,4 +1,5 @@
 name: CI Front
+
 on:
  push:
    branches:
--- a/.github/workflows/ci-release-create.yaml
+++ b/.github/workflows/ci-release-create.yaml
@ -1,4 +1,9 @@
 name: "Release: create"
+
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
  workflow_dispatch:
    inputs:
@ -35,11 +40,11 @@ jobs:
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v6
        with:
-            branch: release/${{ steps.sanitize.outputs.version }}
-            commit-message: "chore: release v${{ steps.sanitize.outputs.version }}"
-            committer: Github Action Deploy <github-action-deploy@twenty.com>
-            author: Github Action Deploy <github-action-deploy@twenty.com>
-            title: Release v${{ steps.sanitize.outputs.version }}
-            labels: |
-              release
-              ${{ github.event.inputs.create_release == true && 'create_release' || '' }}
+          branch: release/${{ steps.sanitize.outputs.version }}
+          commit-message: "chore: release v${{ steps.sanitize.outputs.version }}"
+          committer: Github Action Deploy <github-action-deploy@twenty.com>
+          author: Github Action Deploy <github-action-deploy@twenty.com>
+          title: Release v${{ steps.sanitize.outputs.version }}
+          labels: |
+            release
+            ${{ github.event.inputs.create_release == true && 'create_release' || '' }}
--- a/.github/workflows/ci-release-merge.yaml
+++ b/.github/workflows/ci-release-merge.yaml
@ -1,4 +1,8 @@
 name: "Release: on merge"
+
+permissions:
+  contents: write
+
 on:
  pull_request:
    types:
--- a/.github/workflows/ci-server.yaml
+++ b/.github/workflows/ci-server.yaml
@ -1,4 +1,5 @@
 name: CI Server
+
 on:
  push:
    branches:
--- a/.github/workflows/ci-shared.yaml
+++ b/.github/workflows/ci-shared.yaml
@ -1,4 +1,5 @@
 name: CI Shared
+
 on:
  push:
    branches:
--- a/.github/workflows/ci-utils.yaml
+++ b/.github/workflows/ci-utils.yaml
@ -1,4 +1,5 @@
 name: CI Utils
+
 on:
  # it's usually not recommended to use pull_request_target
  # but we consider it's safe here if we keep the same steps
@ -6,6 +7,7 @@ on:
  # and: https://github.com/facebook/react-native/pull/34370/files
  pull_request_target:
    types: [opened, synchronize, reopened, closed]
+
 permissions:
  actions: write
  checks: write
@ -13,6 +15,7 @@ permissions:
  issues: write
  pull-requests: write
  statuses: write
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  # We don't cancel in-progress because this workflow is triggered on
--- a/.github/workflows/ci-website.yaml
+++ b/.github/workflows/ci-website.yaml
@ -1,4 +1,8 @@
 name: CI Website
+
+permissions:
+  contents: read
+
 on:
  push:
    branches:
--- a/.github/workflows/i18n-pull.yaml
+++ b/.github/workflows/i18n-pull.yaml
@ -3,6 +3,10 @@

 name: 'Pull translations from Crowdin'

+permissions:
+  contents: write
+  pull-requests: write
+
 on:
  schedule:
    - cron: '0 */2 * * *' # Every two hours.
@ -29,10 +33,6 @@ jobs:
  pull_translations:
    name: Pull translations
    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/.github/workflows/i18n-push.yaml
+++ b/.github/workflows/i18n-push.yaml
@ -1,5 +1,9 @@
 name: 'Push translations to Crowdin'

+permissions:
+  contents: write
+  pull-requests: write
+
 on:
  workflow_dispatch:
  workflow_call:
@ -14,9 +18,6 @@ jobs:
  extract_translations:
    name: Extract and upload translations
    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/.github/workflows/preview-env-dispatch.yaml
+++ b/.github/workflows/preview-env-dispatch.yaml
@ -1,5 +1,10 @@
 name: 'Preview Environment Dispatch'

+permissions:
+  contents: write
+  actions: write
+  pull-requests: read
+
 on:
  # Using pull_request_target instead of pull_request to have access to secrets for external contributors
  # Security note: This is safe because we're only using the repository-dispatch action with limited scope
@ -19,10 +24,6 @@ concurrency:

 jobs:
  trigger-preview:
-    permissions:
-      contents: write
-      actions: write
-      pull-requests: read
    if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || (github.event.action == 'labeled' && github.event.label.name == 'preview-app')
    timeout-minutes: 5
    runs-on: ubuntu-latest
--- a/.github/workflows/preview-env-keepalive.yaml
+++ b/.github/workflows/preview-env-keepalive.yaml
@ -1,5 +1,9 @@
 name: 'Preview Environment Keep Alive'

+permissions:
+  contents: read
+  pull-requests: write
+
 on:
  repository_dispatch:
    types: [preview-environment]
--- a/package.json
+++ b/package.json
@ -20,7 +20,7 @@
    "date-fns": "^2.30.0",
    "date-fns-tz": "^2.0.0",
    "deep-equal": "^2.2.2",
-    "dotenv-cli": "^7.2.1",
+    "dotenv-cli": "^7.4.4",
    "drizzle-orm": "^0.29.3",
    "file-type": "16.5.4",
    "framer-motion": "^11.18.0",
@ -163,7 +163,7 @@
    "concurrently": "^8.2.2",
    "cross-var": "^1.1.0",
    "danger": "^11.3.0",
-    "dotenv-cli": "^7.2.1",
+    "dotenv-cli": "^7.4.4",
    "esbuild": "^0.25.10",
    "eslint": "^9.32.0",
    "eslint-config-prettier": "^9.1.0",
--- a/yarn.lock
+++ b/yarn.lock
@ -30878,17 +30878,17 @@ __metadata:
  languageName: node
  linkType: hard

-"dotenv-cli@npm:^7.2.1":
-  version: 7.4.2
-  resolution: "dotenv-cli@npm:7.4.2"
+"dotenv-cli@npm:^7.4.4":
+  version: 7.4.4
+  resolution: "dotenv-cli@npm:7.4.4"
  dependencies:
-    cross-spawn: "npm:^7.0.3"
+    cross-spawn: "npm:^7.0.6"
    dotenv: "npm:^16.3.0"
    dotenv-expand: "npm:^10.0.0"
    minimist: "npm:^1.2.6"
  bin:
    dotenv: cli.js
-  checksum: 10c0/7841bfaa78975aa6b51e529bf5795e062bc6e595021d1931427bb55a6f75e1775d944f4dd91bef8accbbd539c466bfee48fa804e0f6b3a1bcf18ae7de0d64bed
+  checksum: 10c0/180801e02dcc02da4557338f48caa54740e38ffef39c7cd231e283d6fc32f4112186980773344df85a4514db28fdedace94d1b83a706ac39a4f1c2c3a402e71d
  languageName: node
  linkType: hard

@ -53398,7 +53398,7 @@ __metadata:
    date-fns: "npm:^2.30.0"
    date-fns-tz: "npm:^2.0.0"
    deep-equal: "npm:^2.2.2"
-    dotenv-cli: "npm:^7.2.1"
+    dotenv-cli: "npm:^7.4.4"
    drizzle-orm: "npm:^0.29.3"
    esbuild: "npm:^0.25.10"
    eslint: "npm:^9.32.0"