Merge pull request #285 from tangmengqiu/fix/ci-flow

2026-06-06 05:51:19 +08:00 · 2025-11-03 10:03:56 +08:00
parent d216a97b40 0168f766de
commit ec2e294a2f
1 changed files with 20 additions and 0 deletions
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -7,11 +7,18 @@ on:
      - dev
      - main

+# Default permissions for all jobs (can be overridden per job)
+permissions:
+  contents: read           # Read repository contents
+  pull-requests: write     # Manage PRs (labels, comments)
+  issues: write           # Manage issues (PRs are issues)
+
 jobs:
  # Validate PR title and description
  validate-pr:
    name: Validate PR Format
    runs-on: ubuntu-latest
+    # Inherits workflow-level permissions (contents: read, pull-requests: write, issues: write)
    steps:
      - name: Check PR title format
        uses: amannn/action-semantic-pull-request@v5
@@ -86,6 +93,8 @@ jobs:
  backend-tests:
    name: Backend Tests (Go)
    runs-on: ubuntu-latest
+    permissions:
+      contents: read      # Only need read access for testing
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -138,6 +147,8 @@ jobs:
  frontend-tests:
    name: Frontend Tests (React/TypeScript)
    runs-on: ubuntu-latest
+    permissions:
+      contents: read      # Only need read access for testing
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -176,7 +187,9 @@ jobs:
    name: Auto Label PR
    runs-on: ubuntu-latest
    permissions:
+      contents: read
      pull-requests: write
+      issues: write          # Required: PRs are issues, labeler needs to modify issue labels
    steps:
      - uses: actions/labeler@v5
        with:
@@ -187,6 +200,9 @@ jobs:
  security-check:
    name: Security Scan
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # Required: Upload SARIF results to GitHub Security
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -209,6 +225,8 @@ jobs:
  secrets-check:
    name: Check for Secrets
    runs-on: ubuntu-latest
+    permissions:
+      contents: read      # Only need read access for scanning
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -226,6 +244,8 @@ jobs:
    runs-on: ubuntu-latest
    needs: [validate-pr, backend-tests, frontend-tests, security-check, secrets-check]
    if: always()
+    permissions:
+      contents: read      # Only need read access for status checking
    steps:
      - name: Check all jobs
        run: |