fix(chore): Tighten GA write access (#4774)

tjaniczek · web-flow · commit ff0df5454eb1 · 2025-07-17T18:09:37.000+02:00
diff --git a/.github/workflows/check-repro.yml b/.github/workflows/check-repro.yml
diff --git a/.github/workflows/publish-each-pr.yml b/.github/workflows/publish-each-pr.yml
@@ -1,6 +1,10 @@
 name: Expo Preview
 on: [pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   publish:
     name: Install and publish
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,6 +4,11 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/triage.yaml b/.github/workflows/triage.yaml
@@ -3,6 +3,10 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   needs-more-info:
     runs-on: ubuntu-latest
@@ -13,6 +17,18 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const actor = context.actor;
+            const { data: collaborators } = await github.rest.repos.listCollaborators({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+
+            const isCollaborator = collaborators.some(collaborator => collaborator.login === actor);
+            if (!isCollaborator) {
+              console.log(`Actor ${actor} is not a collaborator, skipping workflow`);
+              return;
+            }
+
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -29,6 +45,18 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const actor = context.actor;
+            const { data: collaborators } = await github.rest.repos.listCollaborators({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+
+            const isCollaborator = collaborators.some(collaborator => collaborator.login === actor);
+            if (!isCollaborator) {
+              console.log(`Actor ${actor} is not a collaborator, skipping workflow`);
+              return;
+            }
+
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
diff --git a/.github/workflows/versions.yml b/.github/workflows/versions.yml
@@ -3,6 +3,10 @@ on:
   issues:
     types: [opened, edited]
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   check-versions:
     if: ${{ github.event.label.name == 'bug' }}
