feat: add token permisson explicitly (#968)

* docs: add `pull-requests:write` permission on description * docs: add permissions on example * ci(gh-actions): add permissons
ddradar · May 5, 2024 · 752eff1 · 752eff1
1 parent 08d09ef
commit 752eff1
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 8 deletions.
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -83,6 +83,9 @@ jobs:
           - windows-2022
           - windows-2019
     runs-on: ${{ matrix.os }}
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.4

diff --git a/.github/workflows/site-cat.yml b/.github/workflows/site-cat.yml
@@ -8,8 +8,11 @@ jobs:
   post:
     runs-on: ubuntu-latest
     if: (!contains(github.actor, '[bot]'))
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
-      - uses: ddradar/lgtm-action@v1
+      - uses: ddradar/lgtm-action@v3.0.0
         with:
           image-url: ${{ vars.LGTM_IMAGE_URI }}
           search-pattern: ${{ vars.LGTM_SEARCH_PATTERN }}
diff --git a/README-ja.md b/README-ja.md
@@ -37,6 +37,9 @@ on:
 jobs:
   post:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: ddradar/lgtm-action@v2.0.2
         with:
@@ -60,6 +63,9 @@ jobs:
   post:
     runs-on: ubuntu-latest
     if: (!contains(github.actor, '[bot]')) # botのコメントを除く
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: ddradar/choose-random-action@v1
         id: act
@@ -75,11 +81,11 @@ jobs:
 
 ## Options
 
-| 名称           |  必須  | 説明                                                                                                               | デフォルト            |
-| -------------- | :----: | :----------------------------------------------------------------------------------------------------------------- | --------------------- |
-| image-url      |  はい  | 画像URL                                                                                                            | -                     |
-| search-pattern | いいえ | このアクションが反応する正規表現パターンをセットします。<br />複数行検索(`RegExp.prototype.multiline`)を行います。 | `^(lgtm\|LGTM)$`      |
-| token          | いいえ | issue にコメントするために使用する、GitHub のアクセストークン。(`issues:write`権限が必要です)                      | `${{ github.token }}` |
+| 名称           |  必須  | 説明                                                                                                                 | デフォルト            |
+| -------------- | :----: | :------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| image-url      |  はい  | 画像URL                                                                                                              | -                     |
+| search-pattern | いいえ | このアクションが反応する正規表現パターンをセットします。<br />複数行検索(`RegExp.prototype.multiline`)を行います。   | `^(lgtm\|LGTM)$`      |
+| token          | いいえ | issue にコメントするために使用する、GitHub のアクセストークン。(`issues:write`と`pull-requests:write`権限が必要です) | `${{ github.token }}` |
 
 ## Screenshots
 

diff --git a/README.md b/README.md
@@ -37,6 +37,9 @@ on:
 jobs:
   post:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: ddradar/lgtm-action@v2.0.2
         with:
@@ -59,6 +62,9 @@ jobs:
   post:
     runs-on: ubuntu-latest
     if: (!contains(github.actor, '[bot]')) # Exclude bot comment
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: ddradar/choose-random-action@v2
         id: act
@@ -78,7 +84,7 @@ jobs:
 | -------------- | :-------: | :------------------------------------------------------------------------------------------------------------ | --------------------- |
 | image-url      |    Yes    | Set your image URL                                                                                            | -                     |
 | search-pattern |    No     | Set regexp pattern this action reacts.<br />This action uses Multi-line(`RegExp.prototype.multiline`) search. | `^(lgtm\|LGTM)$`      |
-| token          |    No     | GitHub Access Token to post issue comment. (requires `issues:write` permission)                               | `${{ github.token }}` |
+| token          |    No     | GitHub Access Token to post issue comment. (requires `issues:write` and `pull-requests:write` permission)     | `${{ github.token }}` |
 
 ## Screenshots
 

diff --git a/action.yml b/action.yml
@@ -6,7 +6,7 @@ inputs:
     description: >
       GitHub Access Token to create issue comment.
       In many cases, you do not need to prepare yourself. (provided by GitHub Actions)
-      Token must have issues:write permission.
+      Token must have issues:write and pull-requests:write permission.
     required: false
     default: ${{ github.token }}
   image-url: