[ci] Scope permissions for all workflows

.github/workflows/compiler_discord_notify.yml

@@ -7,6 +7,8 @@ on:
       - compiler/**
       - .github/workflows/compiler_**.yml
 
+permissions: {}
+
 jobs:
   check_maintainer:
     uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main

.github/workflows/compiler_playground.yml

@@ -8,6 +8,8 @@ on:
       - compiler/**
       - .github/workflows/compiler_playground.yml
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true

.github/workflows/compiler_prereleases.yml

@@ -20,11 +20,12 @@ on:
       NPM_TOKEN:
         required: true
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
   SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
-  GH_TOKEN: ${{ github.token }}
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
 defaults:

.github/workflows/compiler_prereleases_manual.yml

@@ -15,6 +15,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 

.github/workflows/compiler_prereleases_nightly.yml

@@ -5,6 +5,8 @@ on:
     # At 10 minutes past 16:00 on Mon, Tue, Wed, Thu, and Fri
     - cron: 10 16 * * 1,2,3,4,5
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 

.github/workflows/compiler_prereleases_weekly.yml

@@ -5,6 +5,8 @@ on:
     # At 10 minutes past 9:00 on Mon
     - cron: 10 9 * * 1
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 

.github/workflows/compiler_typescript.yml

@@ -8,6 +8,8 @@ on:
       - compiler/**
       - .github/workflows/compiler_typescript.yml
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true

.github/workflows/devtools_regression_tests.yml

@@ -9,6 +9,8 @@ on:
         required: false
         type: string
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
@@ -18,6 +20,9 @@ jobs:
   download_build:
     name: Download base build
     runs-on: ubuntu-latest
+    permissions:
+      # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
+      actions: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4

.github/workflows/runtime_build_and_test.yml

@@ -7,6 +7,8 @@ on:
     paths-ignore:
       - compiler/**
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
@@ -768,6 +770,9 @@ jobs:
     if: ${{ github.event_name == 'pull_request' && github.ref_name != 'main' && github.event.pull_request.base.ref == 'main' }}
     name: Run sizebot
     needs: [build_and_lint]
+    permissions:
+      # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
+      actions: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/runtime_commit_artifacts.yml

@@ -22,6 +22,8 @@ on:
         default: false
         type: boolean
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
@@ -30,6 +32,40 @@ env:
 jobs:
   download_artifacts:
     runs-on: ubuntu-latest
+    permissions:
+      # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
+      actions: read
+    steps:
+      - uses: actions/checkout@v4
+      - name: Restore cached node_modules
+        uses: actions/cache@v4
+        id: node_modules
+        with:
+          path: |
+            **/node_modules
+          key: runtime-release-node_modules-v6-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock', 'scripts/release/yarn.lock') }}
+      - name: Ensure clean build directory
+        run: rm -rf build
+      - run: yarn install --frozen-lockfile
+        if: steps.node_modules.outputs.cache-hit != 'true'
+      - run: yarn --cwd scripts/release install --frozen-lockfile
+        if: steps.node_modules.outputs.cache-hit != 'true'
+      - name: Download artifacts for base revision
+        run: |
+          GH_TOKEN=${{ github.token }} scripts/release/download-experimental-build.js --commit=${{ inputs.commit_sha || github.event.workflow_run.head_sha || github.sha }}
+      - name: Display structure of build
+        run: ls -R build
+      - name: Archive build
+        uses: actions/upload-artifact@v4
+        with:
+          name: build
+          path: build/
+          if-no-files-found: error
+
+
+  process_artifacts:
+    runs-on: ubuntu-latest
+    needs: [download_artifacts]
     outputs:
       www_branch_count: ${{ steps.check_branches.outputs.www_branch_count }}
       fbsource_branch_count: ${{ steps.check_branches.outputs.fbsource_branch_count }}
@@ -69,25 +105,11 @@ jobs:
         run: |
           echo "www_branch_count=$(git ls-remote --heads origin "refs/heads/meta-www" | wc -l)" >> "$GITHUB_OUTPUT"
           echo "fbsource_branch_count=$(git ls-remote --heads origin "refs/heads/meta-fbsource" | wc -l)" >> "$GITHUB_OUTPUT"
-      - uses: actions/setup-node@v4
+      - name: Restore downloaded build
+        uses: actions/download-artifact@v4
         with:
-          node-version-file: '.nvmrc'
-          cache: yarn
-          cache-dependency-path: yarn.lock
-      - name: Restore cached node_modules
-        uses: actions/cache@v4
-        id: node_modules
-        with:
-          path: |
-            **/node_modules
-          key: runtime-release-node_modules-v6-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock', 'scripts/release/yarn.lock') }}
-      - name: Ensure clean build directory
-        run: rm -rf build
-      - run: yarn install --frozen-lockfile
-      - run: yarn --cwd scripts/release install --frozen-lockfile
-      - name: Download artifacts for base revision
-        run: |
-          GH_TOKEN=${{ github.token }} scripts/release/download-experimental-build.js --commit=${{ inputs.commit_sha || github.event.workflow_run.head_sha || github.sha }}
+          name: build
+          path: build
       - name: Display structure of build
         run: ls -R build
       - name: Strip @license from eslint plugin and react-refresh
@@ -178,8 +200,8 @@ jobs:
           if-no-files-found: error
 
   commit_www_artifacts:
-    needs: download_artifacts
-    if: inputs.force == true || (github.ref == 'refs/heads/main' && needs.download_artifacts.outputs.www_branch_count == '0')
+    needs: [download_artifacts, process_artifacts]
+    if: inputs.force == true || (github.ref == 'refs/heads/main' && needs.process_artifacts.outputs.www_branch_count == '0')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -192,12 +214,12 @@ jobs:
           name: compiled
           path: compiled/
       - name: Revert version changes
-        if: needs.download_artifacts.outputs.last_version_classic != '' && needs.download_artifacts.outputs.last_version_modern != ''
+        if: needs.process_artifacts.outputs.last_version_classic != '' && needs.process_artifacts.outputs.last_version_modern != ''
         env:
-          CURRENT_VERSION_CLASSIC: ${{ needs.download_artifacts.outputs.current_version_classic }}
-          CURRENT_VERSION_MODERN: ${{ needs.download_artifacts.outputs.current_version_modern }}
-          LAST_VERSION_CLASSIC: ${{ needs.download_artifacts.outputs.last_version_classic }}
-          LAST_VERSION_MODERN: ${{ needs.download_artifacts.outputs.last_version_modern }}
+          CURRENT_VERSION_CLASSIC: ${{ needs.process_artifacts.outputs.current_version_classic }}
+          CURRENT_VERSION_MODERN: ${{ needs.process_artifacts.outputs.current_version_modern }}
+          LAST_VERSION_CLASSIC: ${{ needs.process_artifacts.outputs.last_version_classic }}
+          LAST_VERSION_MODERN: ${{ needs.process_artifacts.outputs.last_version_modern }}
         run: |
           echo "Reverting $CURRENT_VERSION_CLASSIC to $LAST_VERSION_CLASSIC"
           grep -rl "$CURRENT_VERSION_CLASSIC" ./compiled || echo "No files found with $CURRENT_VERSION_CLASSIC"
@@ -227,12 +249,12 @@ jobs:
             echo "should_commit=false" >> "$GITHUB_OUTPUT"
           fi
       - name: Re-apply version changes
-        if: inputs.force == true || (steps.check_should_commit.outputs.should_commit == 'true' && needs.download_artifacts.outputs.last_version_classic != '' && needs.download_artifacts.outputs.last_version_modern != '')
+        if: inputs.force == true || (steps.check_should_commit.outputs.should_commit == 'true' && needs.process_artifacts.outputs.last_version_classic != '' && needs.process_artifacts.outputs.last_version_modern != '')
         env:
-          CURRENT_VERSION_CLASSIC: ${{ needs.download_artifacts.outputs.current_version_classic }}
-          CURRENT_VERSION_MODERN: ${{ needs.download_artifacts.outputs.current_version_modern }}
-          LAST_VERSION_CLASSIC: ${{ needs.download_artifacts.outputs.last_version_classic }}
-          LAST_VERSION_MODERN: ${{ needs.download_artifacts.outputs.last_version_modern }}
+          CURRENT_VERSION_CLASSIC: ${{ needs.process_artifacts.outputs.current_version_classic }}
+          CURRENT_VERSION_MODERN: ${{ needs.process_artifacts.outputs.current_version_modern }}
+          LAST_VERSION_CLASSIC: ${{ needs.process_artifacts.outputs.last_version_classic }}
+          LAST_VERSION_MODERN: ${{ needs.process_artifacts.outputs.last_version_modern }}
         run: |
           echo "Re-applying $LAST_VERSION_CLASSIC to $CURRENT_VERSION_CLASSIC"
           grep -rl "$LAST_VERSION_CLASSIC" ./compiled || echo "No files found with $LAST_VERSION_CLASSIC"
@@ -266,8 +288,8 @@ jobs:
         run: git push
 
   commit_fbsource_artifacts:
-    needs: download_artifacts
-    if: inputs.force == true || (github.ref == 'refs/heads/main' && needs.download_artifacts.outputs.fbsource_branch_count == '0')
+    needs: [download_artifacts, process_artifacts]
+    if: inputs.force == true || (github.ref == 'refs/heads/main' && needs.process_artifacts.outputs.fbsource_branch_count == '0')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -280,10 +302,10 @@ jobs:
           name: compiled-rn
           path: compiled-rn/
       - name: Revert version changes
-        if: needs.download_artifacts.outputs.last_version_rn != ''
+        if: needs.process_artifacts.outputs.last_version_rn != ''
         env:
-          CURRENT_VERSION: ${{ needs.download_artifacts.outputs.current_version_rn }}
-          LAST_VERSION: ${{ needs.download_artifacts.outputs.last_version_rn }}
+          CURRENT_VERSION: ${{ needs.process_artifacts.outputs.current_version_rn }}
+          LAST_VERSION: ${{ needs.process_artifacts.outputs.last_version_rn }}
         run: |
           echo "Reverting $CURRENT_VERSION to $LAST_VERSION"
           grep -rl "$CURRENT_VERSION" ./compiled-rn || echo "No files found with $CURRENT_VERSION"
@@ -309,10 +331,10 @@ jobs:
             echo "should_commit=false" >> "$GITHUB_OUTPUT"
           fi
       - name: Re-apply version changes
-        if: inputs.force == true || (steps.check_should_commit.outputs.should_commit == 'true' && needs.download_artifacts.outputs.last_version_rn != '')
+        if: inputs.force == true || (steps.check_should_commit.outputs.should_commit == 'true' && needs.process_artifacts.outputs.last_version_rn != '')
         env:
-          CURRENT_VERSION: ${{ needs.download_artifacts.outputs.current_version_rn }}
-          LAST_VERSION: ${{ needs.download_artifacts.outputs.last_version_rn }}
+          CURRENT_VERSION: ${{ needs.process_artifacts.outputs.current_version_rn }}
+          LAST_VERSION: ${{ needs.process_artifacts.outputs.last_version_rn }}
         run: |
           echo "Re-applying $LAST_VERSION to $CURRENT_VERSION"
           grep -rl "$LAST_VERSION" ./compiled-rn || echo "No files found with $LAST_VERSION"

.github/workflows/runtime_discord_notify.yml

@@ -7,6 +7,8 @@ on:
       - compiler/**
       - .github/workflows/compiler_**.yml
 
+permissions: {}
+
 jobs:
   check_maintainer:
     uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main

.github/workflows/runtime_eslint_plugin_e2e.yml

@@ -7,6 +7,8 @@ on:
     paths-ignore:
       - compiler/**
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true

.github/workflows/runtime_fuzz_tests.yml

@@ -8,6 +8,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 

.github/workflows/runtime_prereleases.yml

@@ -17,11 +17,12 @@ on:
       NPM_TOKEN:
         required: true
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
   SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
-  GH_TOKEN: ${{ github.token }}
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
 jobs:

.github/workflows/runtime_prereleases_manual.yml

@@ -6,6 +6,8 @@ on:
       prerelease_commit_sha:
         required: true
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 

.github/workflows/runtime_prereleases_nightly.yml

@@ -5,6 +5,8 @@ on:
     # At 10 minutes past 16:00 on Mon, Tue, Wed, Thu, and Fri
     - cron: 10 16 * * 1,2,3,4,5
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 

.github/workflows/runtime_releases_from_npm_manual.yml

@@ -31,11 +31,12 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
   SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
-  GH_TOKEN: ${{ github.token }}
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
 jobs:

.github/workflows/shared_check_maintainer.yml

@@ -14,6 +14,8 @@ on:
       is_core_team:
         value: ${{ jobs.check_maintainer.outputs.is_core_team }}
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
@@ -22,6 +24,9 @@ env:
 jobs:
   check_maintainer:
     runs-on: ubuntu-latest
+    permissions:
+      # We fetch the contents of the MAINTAINERS file
+      contents: read
     outputs:
       is_core_team: ${{ steps.check_if_actor_is_maintainer.outputs.result }}
     steps:

.github/workflows/shared_cleanup_merged_branch_caches.yml

@@ -11,6 +11,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest

.github/workflows/shared_cleanup_stale_branch_caches.yml

@@ -6,6 +6,8 @@ on:
     - cron: 0 0 * * *
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest

.github/workflows/shared_close_direct_sync_branch_prs.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - 'builds/facebook-**'
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout

.github/workflows/shared_label_core_team_prs.yml

@@ -3,6 +3,8 @@ name: (Shared) Label Core Team PRs
 on:
   pull_request_target:
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout