From 06534ac765d9e4ec8a5911b54c1e7964bad764e4 Mon Sep 17 00:00:00 2001
From: Musale Martin <martinmusale@microsoft.com>
Date: Fri, 26 Jan 2024 21:36:16 +0300
Subject: [PATCH] chore: Add permissions for workflows requiring GITHUB_TOKEN
 (#2971)

* Add permissions for workflows requiring GITHUB_TOKEN

* Write deployments permissions

* Switch deployments with content permission event

* Add permission blocks for PR Quality Reporting

* Move permission block to the root level

* Add content write permissions for gh-pages

---------

Co-authored-by: Nickii Miaro <miaronkirote@gmail.com>
Co-authored-by: Gavin Barron <gavinbarron@microsoft.com>
---
 .github/workflows/pr-clean-deployments.yml |  4 ++++
 .github/workflows/pr-reporting.yml         |  4 ++++
 .github/workflows/pr-storybook.yml         |  4 ++++
 .github/workflows/pr-test-app.yml          |  4 ++++
 .github/workflows/pr.yml                   |  3 +++
 .github/workflows/project-automation.yml   | 11 ++++++++---
 .github/workflows/push-preview-release.yml |  4 ++++
 .github/workflows/push-release.yml         |  2 ++
 .github/workflows/storybook.yml            |  3 +++
 9 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-clean-deployments.yml b/.github/workflows/pr-clean-deployments.yml
index af0d950bed..57c8c6eb43 100644
--- a/.github/workflows/pr-clean-deployments.yml
+++ b/.github/workflows/pr-clean-deployments.yml
@@ -8,6 +8,10 @@ on:
     types: [closed]
     branches: [main, release/**, next/**]
 
+permissions:
+  pull-requests: write
+  contents: write
+
 jobs:
   cleanup:
     if: "contains(github.event.pull_request.labels.*.name, 'Build: Storybook') || contains(github.event.pull_request.labels.*.name, 'Build: React Contoso')"
diff --git a/.github/workflows/pr-reporting.yml b/.github/workflows/pr-reporting.yml
index 5b4b10be46..ce1001d8fb 100644
--- a/.github/workflows/pr-reporting.yml
+++ b/.github/workflows/pr-reporting.yml
@@ -6,11 +6,15 @@ on:
     types:
       - completed
 
+permissions:
+  pull-requests: write
+
 jobs:
   pr_report:
     runs-on: ubuntu-latest
     env:
       GH_TOKEN: ${{ github.token }}
+
     steps:
       # added to work around missing .git repo wanted by gh cli
       - uses: actions/checkout@v4
diff --git a/.github/workflows/pr-storybook.yml b/.github/workflows/pr-storybook.yml
index 003304ed80..f05fdba6d5 100644
--- a/.github/workflows/pr-storybook.yml
+++ b/.github/workflows/pr-storybook.yml
@@ -8,6 +8,10 @@ on:
     types: [opened, labeled, synchronize, reopened]
     branches: [main, release/**, next/**]
 
+permissions:
+  pull-requests: write
+  contents: write
+
 jobs:
   storybook:
     if: "contains(github.event.pull_request.labels.*.name, 'Build: Storybook')"
diff --git a/.github/workflows/pr-test-app.yml b/.github/workflows/pr-test-app.yml
index fe27afffb7..0ccb398fac 100644
--- a/.github/workflows/pr-test-app.yml
+++ b/.github/workflows/pr-test-app.yml
@@ -8,6 +8,10 @@ on:
     types: [opened, labeled, synchronize, reopened]
     branches: [main, release/**, next/**]
 
+permissions:
+  pull-requests: write
+  contents: write
+
 jobs:
   react-contoso:
     if: "contains(github.event.pull_request.labels.*.name, 'Build: React Contoso')"
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 2751add83f..7a5942c2a6 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [main, release/**, next/**]
 
+permissions:
+  pull-requests: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/project-automation.yml b/.github/workflows/project-automation.yml
index 428aadf46b..39c8877983 100644
--- a/.github/workflows/project-automation.yml
+++ b/.github/workflows/project-automation.yml
@@ -5,9 +5,14 @@ on:
     types:
       - opened
 
+permissions:
+  issues: write
+  repository-projects: read
+
 jobs:
   track_issue:
     runs-on: ubuntu-latest
+
     steps:
       - name: Get project data
         env:
@@ -32,8 +37,8 @@ jobs:
             }' -f org=$PROJECT_ORGANIZATION -F number=$PROJECT_NUMBER > project_data.json
 
           echo 'PROJECT_ID='$(jq '.data.organization.projectNext.id' project_data.json) >> $GITHUB_ENV
-  
-      - name: Add issue to project        
+
+      - name: Add issue to project
         env:
           GITHUB_TOKEN: ${{ secrets.PROJECT_ACCESS_TOKEN }}
           ISSUE_ID: ${{ github.event.issue.node_id }}
@@ -43,4 +48,4 @@ jobs:
               addProjectNextItem(input: {projectId: $project, contentId: $issue}) { 
                 projectNextItem { id }  
               } 
-            }' -f project=$PROJECT_ID -f issue=$ISSUE_ID
\ No newline at end of file
+            }' -f project=$PROJECT_ID -f issue=$ISSUE_ID
diff --git a/.github/workflows/push-preview-release.yml b/.github/workflows/push-preview-release.yml
index de10cbcc88..b3744397a0 100644
--- a/.github/workflows/push-preview-release.yml
+++ b/.github/workflows/push-preview-release.yml
@@ -6,6 +6,10 @@ on:
   push:
     tags: ['v3.*-preview.*', 'v3.*-rc.*']
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   version:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/push-release.yml b/.github/workflows/push-release.yml
index c9f8b3c775..5d81731b34 100644
--- a/.github/workflows/push-release.yml
+++ b/.github/workflows/push-release.yml
@@ -6,6 +6,8 @@ name: Release latest
 on:
   push:
     tags: ['v3.*']
+permissions:
+  contents: write
 
 jobs:
   version:
diff --git a/.github/workflows/storybook.yml b/.github/workflows/storybook.yml
index b58bd3c72f..31d64a0c75 100644
--- a/.github/workflows/storybook.yml
+++ b/.github/workflows/storybook.yml
@@ -10,6 +10,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: write
+
 jobs:
   build:
     runs-on: ubuntu-latest