Ci security tweaks (#9010)

pngwn · web-flow · commit 98475a2ebc57 · 2024-08-05T20:23:28.000+01:00
* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd
diff --git a/.github/workflows/previews-deploy.yml b/.github/workflows/previews-deploy.yml
@@ -7,8 +7,6 @@ on:
     types:
       - completed
 
-permissions:
-  statuses: write
 concurrency:
   group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
   cancel-in-progress: true
@@ -57,6 +55,8 @@ jobs:
     needs: changes
     if: ${{ needs.changes.outputs.should_run == 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@v4
diff --git a/.github/workflows/website-deploy.yml b/.github/workflows/website-deploy.yml
@@ -6,9 +6,6 @@ on:
     types:
       - completed
 
-permissions:
-  statuses: write
-
 concurrency:
   group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
   cancel-in-progress: true
@@ -57,6 +54,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: changes
     if: needs.changes.outputs.should_run == 'true'
+    permissions:
+      actions: read
     outputs:
       vercel_url: ${{ steps.output_url.outputs.vercel_url }}
     env:
