chore(workflows): update permissions across GitHub Actions workflows …

[AMoreaux]

…for consistency

[greptile-apps]

Greptile Overview

Summary

This PR implements a security hardening initiative by standardizing permissions declarations across all GitHub Actions workflows in the repository. The changes add explicit `permissions` blocks to 17 workflow files, moving away from relying on default GitHub Actions permissions to following the principle of least privilege.

The modifications fall into two categories:

1. Read-only workflows: CI/test workflows (ci-server.yaml, ci-front.yaml, ci-e2e.yaml, etc.) now declare contents: read permission, which is the minimum required to checkout code and run builds/tests.
2. Write-enabled workflows: Release and deployment workflows (ci-release-merge.yaml, i18n-push.yaml, etc.) declare appropriate write permissions like contents: write and pull-requests: write based on their specific needs.

Several workflows also reorganize permissions from job-level to workflow-level declarations (i18n-push.yaml, i18n-pull.yaml, preview-env-dispatch.yaml) for consistency. The changes include minor formatting improvements with blank lines for better readability.

This systematic approach aligns with GitHub's security best practices by making permission grants explicit and auditable, rather than inheriting potentially broader default permissions. Each workflow receives only the minimum permissions necessary for its specific operations - CI workflows get read access for testing, while release workflows get write access for tagging and creating releases.

Important Files Changed

Changed Files

Filename	Score	Overview
.github/workflows/ci-server.yaml	5/5	Adds explicit contents: read permission for security best practices in CI workflow
.github/workflows/i18n-push.yaml	5/5	Moves permissions from job level to workflow level for consistency, maintains same functionality
.github/workflows/ci-front.yaml	5/5	Adds contents: read permission and formatting improvements for frontend CI workflow
.github/workflows/ci-e2e.yaml	5/5	Adds explicit contents: read permission to E2E testing workflow
.github/workflows/cd-deploy-main.yaml	5/5	Adds contents: read permission to main deployment workflow with formatting improvements
.github/workflows/ci-utils.yaml	5/5	Adds comprehensive permissions for utils workflow that interacts with PRs and checks
.github/workflows/i18n-pull.yaml	5/5	Moves permissions to workflow level for consistency in translation management workflow
.github/workflows/changed-files.yaml	5/5	Adds contents: read permission to reusable workflow for file change detection
.github/workflows/ci-emails.yaml	5/5	Adds explicit read permission to email CI workflow following security best practices
.github/workflows/ci-shared.yaml	5/5	Adds contents: read permission to shared package CI workflow
.github/workflows/preview-env-keepalive.yaml	5/5	Adds appropriate permissions for preview environment management with PR commenting
.github/workflows/ci-cli.yaml	5/5	Adds minimal read permission to CLI CI workflow with formatting improvements
.github/workflows/cd-deploy-tag.yaml	5/5	Adds contents: read permission to tag deployment workflow
.github/workflows/ci-website.yaml	5/5	Adds read-only permission to website CI workflow following security guidelines
.github/workflows/ci-release-create.yaml	5/5	Adds release workflow permissions and fixes indentation for create-pull-request action
.github/workflows/preview-env-dispatch.yaml	4/5	Moves permissions to workflow level while maintaining appropriate write access for dispatch
.github/workflows/ci-release-merge.yaml	5/5	Adds essential contents: write permission for tag creation and release operations

Confidence score: 5/5

• This PR is extremely safe to merge with minimal risk as it only adds security improvements without changing functionality
• Score reflects thorough security hardening through explicit permission declarations following GitHub best practices
• No files require special attention as all changes are security improvements with appropriate permissions for each workflow's needs

Sequence Diagram

sequenceDiagram
    participant User
    participant GitHub
    participant WorkflowRunner as "GitHub Actions Runner"
    participant InfraRepo as "twenty-infra Repository"

    User->>GitHub: "Push to main branch"
    GitHub->>WorkflowRunner: "Trigger CD deploy main workflow"
    
    WorkflowRunner->>WorkflowRunner: "Run deploy-main job (timeout: 3 minutes)"
    WorkflowRunner->>GitHub: "Use TWENTY_INFRA_TOKEN for authentication"
    
    WorkflowRunner->>InfraRepo: "Send repository dispatch event"
    Note over WorkflowRunner,InfraRepo: event-type: auto-deploy-main<br/>client-payload: github context
    
    InfraRepo->>InfraRepo: "Receive dispatch event and trigger deployment"

Loading

_{17 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[FelixMalfait]

Can you check by changing the root package.json or something? (e.g. dotenv-cli appears in both dev and non-dev dependencies)

[github-actions]

🚀 Preview Environment Ready!

Your preview environment is available at: http://bore.pub:13497

This environment will automatically shut down when the PR is closed or after 5 hours.