Merge pull request #520 from crazy-max/gha-perms

ci: set contents read as default workflow permissions

Author: crazy-max

.github/workflows/build.yml

@@ -1,26 +1,34 @@
 name: build
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
       - 'master'
   push:
-    branches: 'master'
+    branches:
+      - 'master'
     tags:
       - '*.*.*'
 
+env:
+  VERSION: "0.0.0"
+
 jobs:
   release:
     runs-on: windows-latest
+    permissions:
+      # required to create GitHub release
+      contents: write
     steps:
       -
         name: Prepare
-        id: prepare
         run: |
           if [[ $GITHUB_REF == refs/tags/* ]]; then
-            echo ::set-output name=version::${GITHUB_REF#refs/tags/}
-          else
-            echo ::set-output name=version::0.0.0
+            echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
           fi
         shell: bash
       -
@@ -45,13 +53,13 @@ jobs:
           version: latest
           args: chocoPack
       -
-        name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        name: Upload artifacts
+        uses: actions/upload-artifact@v4
         with:
           name: WindowsSpyBlocker
           path: |
             bin/WindowsSpyBlocker.exe
-            bin/windowsspyblocker.${{ steps.prepare.outputs.version }}.nupkg
+            bin/windowsspyblocker.${{ env.VERSION }}.nupkg
       -
         name: GitHub Release
         uses: softprops/action-gh-release@v1
@@ -60,10 +68,8 @@ jobs:
           draft: true
           files: |
             bin/WindowsSpyBlocker.exe
-            bin/windowsspyblocker.${{ steps.prepare.outputs.version }}.nupkg
-          name: ${{ steps.prepare.outputs.version }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            bin/windowsspyblocker.${{ env.VERSION }}.nupkg
+          name: ${{ env.VERSION }}
       -
         name: Mage chocoPush
         uses: magefile/mage-action@v2

.github/workflows/docs.yml

@@ -1,5 +1,9 @@
 name: docs
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
@@ -20,6 +24,9 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      # required to push to gh-pages
+      contents: write
     steps:
       -
         name: Checkout

.github/workflows/labels.yml

@@ -1,20 +1,35 @@
 name: labels
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
       - 'master'
     paths:
       - '.github/labels.yml'
       - '.github/workflows/labels.yml'
+  pull_request:
+    paths:
+      - '.github/labels.yml'
+      - '.github/workflows/labels.yml'
 
 jobs:
   labeler:
     runs-on: ubuntu-latest
+    permissions:
+      # same as global permissions
+      contents: read
+      # required to update labels
+      issues: write
     steps:
       -
         name: Checkout
         uses: actions/checkout@v3
       -
         name: Run Labeler
-        uses: crazy-max/ghaction-github-labeler@v4
+        uses: crazy-max/ghaction-github-labeler@v5
+        with:
+          dry-run: ${{ github.event_name == 'pull_request' }}

.github/workflows/released.yml

@@ -1,5 +1,9 @@
 name: released
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   release:
     types:
@@ -8,24 +12,25 @@ on:
 jobs:
   virustotal:
     runs-on: ubuntu-latest
+    permissions:
+      # required to write GitHub Release body
+      contents: write
     steps:
       -
         name: VirusTotal Monitor Scan
-        uses: crazy-max/ghaction-virustotal@v3
+        uses: crazy-max/ghaction-virustotal@v4
         with:
           vt_api_key: ${{ secrets.VT_MONITOR_API_KEY }}
           vt_monitor: true
           monitor_path: /${{ github.event.repository.name }}/${{ github.event.release.tag_name }}
           update_release_body: false
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           files: |
             WindowsSpyBlocker.exe
       -
         name: VirusTotal Scan
-        uses: crazy-max/ghaction-virustotal@v3
+        uses: crazy-max/ghaction-virustotal@v4
         with:
           vt_api_key: ${{ secrets.VT_API_KEY }}
           update_release_body: true
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           files: |
             WindowsSpyBlocker.exe