diff --git a/.github/workflows/ci-backend.yml b/.github/workflows/ci-backend.yml index 85d1fe3a9..3211c885e 100644 --- a/.github/workflows/ci-backend.yml +++ b/.github/workflows/ci-backend.yml @@ -22,6 +22,7 @@ on: concurrency: group: backend-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} env: DEFAULT_UV_VERSION: "0.10.x" NLTK_DATA: "/usr/share/nltk_data" @@ -29,6 +30,8 @@ jobs: test: name: "Python ${{ matrix.python-version }}" runs-on: ubuntu-24.04 + permissions: + contents: read strategy: matrix: python-version: ['3.10', '3.11', '3.12'] @@ -102,6 +105,8 @@ jobs: typing: name: Check project typing runs-on: ubuntu-24.04 + permissions: + contents: read env: DEFAULT_PYTHON: "3.12" steps: diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index 3fa5a6870..b09b399cc 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -15,6 +15,7 @@ on: concurrency: group: docker-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} env: REGISTRY: ghcr.io jobs: diff --git a/.github/workflows/ci-docs.yml b/.github/workflows/ci-docs.yml index 9496037f4..35004bb18 100644 --- a/.github/workflows/ci-docs.yml +++ b/.github/workflows/ci-docs.yml @@ -21,10 +21,7 @@ on: concurrency: group: docs-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true -permissions: - contents: read - pages: write - id-token: write +permissions: {} env: DEFAULT_UV_VERSION: "0.10.x" DEFAULT_PYTHON_VERSION: "3.12" @@ -32,6 +29,8 @@ jobs: build: name: Build Documentation runs-on: ubuntu-24.04 + permissions: + contents: read steps: - uses: actions/configure-pages@v5 - name: Checkout @@ -67,6 +66,10 @@ jobs: needs: build if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-24.04 + permissions: + contents: read + pages: write + id-token: write environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/.github/workflows/ci-frontend.yml b/.github/workflows/ci-frontend.yml index 1b64c8251..ec083a98a 100644 --- a/.github/workflows/ci-frontend.yml +++ b/.github/workflows/ci-frontend.yml @@ -16,10 +16,13 @@ on: concurrency: group: frontend-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} jobs: install-dependencies: name: Install Dependencies runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v6 @@ -47,6 +50,8 @@ jobs: name: Lint needs: install-dependencies runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v6 @@ -75,6 +80,8 @@ jobs: name: "Unit Tests (${{ matrix.shard-index }}/${{ matrix.shard-count }})" needs: install-dependencies runs-on: ubuntu-24.04 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -121,6 +128,8 @@ jobs: name: "E2E Tests (${{ matrix.shard-index }}/${{ matrix.shard-count }})" needs: install-dependencies runs-on: ubuntu-24.04 + permissions: + contents: read container: mcr.microsoft.com/playwright:v1.58.2-noble env: PLAYWRIGHT_BROWSERS_PATH: /ms-playwright @@ -161,6 +170,8 @@ jobs: name: Bundle Analysis needs: [unit-tests, e2e-tests] runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v6 diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index c4df7d893..484342304 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -9,10 +9,13 @@ on: concurrency: group: lint-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} jobs: lint: name: Linting via prek runs-on: ubuntu-slim + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v6.0.2 diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 11b90f713..ddbb70191 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -7,6 +7,7 @@ on: concurrency: group: release-${{ github.ref }} cancel-in-progress: false +permissions: {} env: DEFAULT_UV_VERSION: "0.10.x" DEFAULT_PYTHON_VERSION: "3.12" @@ -14,6 +15,10 @@ jobs: wait-for-docker: name: Wait for Docker Build runs-on: ubuntu-24.04 + permissions: + # lewagon/wait-on-check-action reads workflow check runs + actions: read + contents: read steps: - name: Wait for Docker build uses: lewagon/wait-on-check-action@v1.5.0 @@ -26,6 +31,8 @@ jobs: name: Build Release needs: wait-for-docker runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v6 @@ -127,6 +134,10 @@ jobs: name: Publish Release needs: build-release runs-on: ubuntu-24.04 + permissions: + # release-drafter reads PRs to build the changelog and creates/publishes the release + contents: write + pull-requests: read outputs: prerelease: ${{ steps.get-version.outputs.prerelease }} changelog: ${{ steps.create-release.outputs.body }} @@ -174,6 +185,11 @@ jobs: needs: publish-release if: needs.publish-release.outputs.prerelease == 'false' runs-on: ubuntu-24.04 + permissions: + # git push of the changelog branch requires contents: write + # github.rest.pulls.create() and github.rest.issues.addLabels() require pull-requests: write + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v6 diff --git a/.github/workflows/cleanup-tags.yml b/.github/workflows/cleanup-tags.yml index bc2ae655f..8e76ce7b6 100644 --- a/.github/workflows/cleanup-tags.yml +++ b/.github/workflows/cleanup-tags.yml @@ -12,6 +12,7 @@ on: concurrency: group: registry-tags-cleanup cancel-in-progress: false +permissions: {} jobs: cleanup-images: name: Cleanup Image Tags for ${{ matrix.primary-name }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 941d83648..36de0df2c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,6 +18,7 @@ on: branches: [dev] schedule: - cron: '28 13 * * 5' +permissions: {} jobs: analyze: name: Analyze diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml index 29fb4c181..08c6484ca 100644 --- a/.github/workflows/crowdin.yml +++ b/.github/workflows/crowdin.yml @@ -6,11 +6,16 @@ on: push: paths: ['src/locale/**', 'src-ui/messages.xlf', 'src-ui/src/locale/**'] branches: [dev] +permissions: {} jobs: synchronize-with-crowdin: name: Crowdin Sync if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 + permissions: + # Crowdin action pushes translation branches and creates/updates PRs via GITHUB_TOKEN + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v6 diff --git a/.github/workflows/pr-bot.yml b/.github/workflows/pr-bot.yml index 8e3b7951d..1672cb84a 100644 --- a/.github/workflows/pr-bot.yml +++ b/.github/workflows/pr-bot.yml @@ -2,13 +2,15 @@ name: PR Bot on: pull_request_target: types: [opened] -permissions: - contents: read - pull-requests: write +permissions: {} jobs: pr-bot: name: Automated PR Bot runs-on: ubuntu-latest + permissions: + # labeler reads file paths; all steps add labels or post comments on PRs + contents: read + pull-requests: write steps: - name: Label PR by file path or branch name # see .github/labeler.yml for the labeler config diff --git a/.github/workflows/project-actions.yml b/.github/workflows/project-actions.yml index ed27a0255..46031d000 100644 --- a/.github/workflows/project-actions.yml +++ b/.github/workflows/project-actions.yml @@ -7,13 +7,14 @@ on: branches: - main - dev -permissions: - contents: read +permissions: {} jobs: pr_opened_or_reopened: name: pr_opened_or_reopened runs-on: ubuntu-24.04 permissions: + # release-drafter reads its config file from the repo + contents: read # write permission is required for autolabeler pull-requests: write if: github.event_name == 'pull_request_target' && (github.event.action == 'opened' || github.event.action == 'reopened') && github.event.pull_request.user.login != 'dependabot' diff --git a/.github/workflows/repo-maintenance.yml b/.github/workflows/repo-maintenance.yml index 342165476..6ae5ae999 100644 --- a/.github/workflows/repo-maintenance.yml +++ b/.github/workflows/repo-maintenance.yml @@ -3,10 +3,7 @@ on: schedule: - cron: '0 3 * * *' workflow_dispatch: -permissions: - issues: write - pull-requests: write - discussions: write +permissions: {} concurrency: group: lock jobs: @@ -14,6 +11,9 @@ jobs: name: 'Stale' if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@v10 with: @@ -36,6 +36,10 @@ jobs: name: 'Lock Old Threads' if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 + permissions: + issues: write + pull-requests: write + discussions: write steps: - uses: dessant/lock-threads@v6 with: @@ -56,6 +60,8 @@ jobs: name: 'Close Answered Discussions' if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 + permissions: + discussions: write steps: - uses: actions/github-script@v8 with: @@ -113,6 +119,8 @@ jobs: name: 'Close Outdated Discussions' if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 + permissions: + discussions: write steps: - uses: actions/github-script@v8 with: @@ -205,6 +213,8 @@ jobs: name: 'Close Unsupported Feature Requests' if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 + permissions: + discussions: write steps: - uses: actions/github-script@v8 with: diff --git a/.github/workflows/translate-strings.yml b/.github/workflows/translate-strings.yml index 4cf4d2b5b..6b1564e2e 100644 --- a/.github/workflows/translate-strings.yml +++ b/.github/workflows/translate-strings.yml @@ -3,6 +3,7 @@ on: push: branches: - dev +permissions: {} jobs: generate-translate-strings: name: Generate Translation Strings