ci: harden workflows and cancel in-progress workflows whenever new ch…

…anges are pushed up (#318) This just applies some standard stuff ensuring jobs only have the permissions they actually need and that in-progress jobs are cancelled whenever new changes are pushed up to reduce CI spend.
ackama · Apr 21, 2024 · ebaa98b · ebaa98b
1 parent 61c3369
commit ebaa98b
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -1,13 +1,24 @@
 name: Checks
 on: [pull_request]
 
+concurrency:
+  # Pushing new changes to a branch will cancel any in-progress CI runs of this workflow
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
+
 env:
   # reduces noise from npm post-install scripts
   DISABLE_OPENCOLLECTIVE: true
   OPEN_SOURCE_CONTRIBUTOR: true
 
 jobs:
   commitlint:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -18,6 +29,8 @@ jobs:
         with:
           configFile: './package.json'
   docs:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -37,6 +50,8 @@ jobs:
             | xargs -I '{}' bash -c \
               'echo "::error file={}::This needs to be regenerated by running \`tools:generate-configs-list\`" && false'
   lint:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     # prettier-ignore
     name: Lint on ${{ matrix.os }} with eslint v${{ matrix.eslint }}, using Node.js LTS
     strategy:
@@ -47,6 +62,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: 20.x
@@ -56,6 +73,8 @@ jobs:
       - run: npm install eslint@${{ matrix.eslint }} --no-fund
       - run: npm run lint
   test:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     name: Test on ${{ matrix.os }} using Node.js LTS
     strategy:
       fail-fast: false
@@ -64,6 +83,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: 20.x
@@ -72,6 +93,8 @@ jobs:
       - run: npm ci
       - run: npm run test
   typecheck:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     name: Typecheck on ${{ matrix.os }} using Node.js LTS
     strategy:
       fail-fast: false
@@ -80,6 +103,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: 20.x

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -4,13 +4,21 @@ on:
     branches:
       - main
 
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
+
 env:
   # reduces noise from npm post-install scripts
   DISABLE_OPENCOLLECTIVE: true
   OPEN_SOURCE_CONTRIBUTOR: true
 
 jobs:
   release:
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4