From 33fc71b22ec4365b389da2ec9f55813e1b898ebb Mon Sep 17 00:00:00 2001 From: mkorwel Date: Tue, 21 Oct 2025 21:54:38 -0700 Subject: [PATCH] refactor(ci): centralize workflow permissions Consolidates all job-level permissions into a single workflow-level block in 'ci.yml'. This simplifies the workflow configuration and makes it easier to manage permissions. The workflow-level permissions now include all necessary permissions for the 'test_linux', 'test_mac', 'codeql', and 'bundle_size' jobs. --- .github/workflows/ci.yml | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e89edd1487..d2682f6a1b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,9 @@ permissions: contents: 'read' statuses: 'write' packages: 'read' + pull-requests: 'write' + actions: 'read' + security-events: 'write' defaults: run: @@ -27,10 +30,6 @@ jobs: test_linux: name: 'Test (Linux)' runs-on: 'gemini-cli-ubuntu-16-core' - permissions: - contents: 'read' - checks: 'write' - pull-requests: 'write' strategy: matrix: node-version: @@ -87,10 +86,6 @@ jobs: test_mac: name: 'Test (Mac)' runs-on: '${{ matrix.os }}' - permissions: - contents: 'read' - checks: 'write' - pull-requests: 'write' continue-on-error: true strategy: matrix: @@ -158,10 +153,6 @@ jobs: codeql: name: 'CodeQL' runs-on: 'gemini-cli-ubuntu-16-core' - permissions: - actions: 'read' - contents: 'read' - security-events: 'write' steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 @@ -181,9 +172,6 @@ jobs: name: 'Check Bundle Size' if: "${{github.event_name == 'pull_request'}}" runs-on: 'gemini-cli-ubuntu-16-core' - permissions: - contents: 'read' # For checkout - pull-requests: 'write' # For commenting steps: - name: 'Checkout'