chore(workflows): update permissions across GitHub Actions workflows …

.github/workflows/cd-deploy-main.yaml

@@ -1,8 +1,13 @@
 name: CD deploy main
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
       - main
+
 jobs:
   deploy-main:
     timeout-minutes: 3

.github/workflows/cd-deploy-tag.yaml

@@ -1,8 +1,13 @@
 name: CD deploy tag
+
+permissions:
+  contents: read
+
 on:
   push:
     tags:
       - 'v*'
+
 jobs:
   deploy-tag:
     timeout-minutes: 3

.github/workflows/changed-files.yaml

@@ -1,4 +1,5 @@
 name: Changed files reusable workflow
+
 on:
   workflow_call:
     inputs:

.github/workflows/ci-cli.yaml

@@ -1,4 +1,5 @@
 name: CI CLI
+
 on:
   push:
     branches:

.github/workflows/ci-e2e.yaml

@@ -1,4 +1,5 @@
 name: CI E2E Playwright Tests
+
 on:
   push:
     branches:

.github/workflows/ci-emails.yaml

@@ -1,4 +1,8 @@
 name: CI Emails
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/ci-front.yaml

@@ -1,4 +1,5 @@
 name: CI Front
+
 on:
   push:
     branches:

.github/workflows/ci-release-create.yaml

@@ -1,4 +1,9 @@
 name: "Release: create"
+
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   workflow_dispatch:
     inputs:
@@ -35,11 +40,11 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v6
         with:
-            branch: release/${{ steps.sanitize.outputs.version }}
-            commit-message: "chore: release v${{ steps.sanitize.outputs.version }}"
-            committer: Github Action Deploy <[email protected]>
-            author: Github Action Deploy <[email protected]>
-            title: Release v${{ steps.sanitize.outputs.version }}
-            labels: |
-              release
-              ${{ github.event.inputs.create_release == true && 'create_release' || '' }}
+          branch: release/${{ steps.sanitize.outputs.version }}
+          commit-message: "chore: release v${{ steps.sanitize.outputs.version }}"
+          committer: Github Action Deploy <[email protected]>
+          author: Github Action Deploy <[email protected]>
+          title: Release v${{ steps.sanitize.outputs.version }}
+          labels: |
+            release
+            ${{ github.event.inputs.create_release == true && 'create_release' || '' }}

.github/workflows/ci-release-merge.yaml

@@ -1,4 +1,8 @@
 name: "Release: on merge"
+
+permissions:
+  contents: write
+
 on:
   pull_request:
     types:

.github/workflows/ci-server.yaml

@@ -1,4 +1,5 @@
 name: CI Server
+
 on:
   push:
     branches:

.github/workflows/ci-shared.yaml

@@ -1,4 +1,5 @@
 name: CI Shared
+
 on:
   push:
     branches:

.github/workflows/ci-utils.yaml

@@ -1,18 +1,21 @@
 name: CI Utils
+
 on:
   # it's usually not recommended to use pull_request_target
   # but we consider it's safe here if we keep the same steps
   # see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
   # and: https://github.com/facebook/react-native/pull/34370/files
   pull_request_target:
     types: [opened, synchronize, reopened, closed]
+
 permissions:
   actions: write
   checks: write
   contents: write
   issues: write
   pull-requests: write
   statuses: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   # We don't cancel in-progress because this workflow is triggered on

.github/workflows/ci-website.yaml

@@ -1,4 +1,8 @@
 name: CI Website
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/i18n-pull.yaml

@@ -3,6 +3,10 @@
 
 name: 'Pull translations from Crowdin'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   schedule:
     - cron: '0 */2 * * *' # Every two hours.
@@ -29,10 +33,6 @@ jobs:
   pull_translations:
     name: Pull translations
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/i18n-push.yaml

@@ -1,5 +1,9 @@
 name: 'Push translations to Crowdin'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -14,9 +18,6 @@ jobs:
   extract_translations:
     name: Extract and upload translations
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/preview-env-dispatch.yaml

@@ -1,5 +1,10 @@
 name: 'Preview Environment Dispatch'
 
+permissions:
+  contents: write
+  actions: write
+  pull-requests: read
+
 on:
   # Using pull_request_target instead of pull_request to have access to secrets for external contributors
   # Security note: This is safe because we're only using the repository-dispatch action with limited scope
@@ -19,10 +24,6 @@ concurrency:
 
 jobs:
   trigger-preview:
-    permissions:
-      contents: write
-      actions: write
-      pull-requests: read
     if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || (github.event.action == 'labeled' && github.event.label.name == 'preview-app')
     timeout-minutes: 5
     runs-on: ubuntu-latest

.github/workflows/preview-env-keepalive.yaml

@@ -1,5 +1,9 @@
 name: 'Preview Environment Keep Alive'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   repository_dispatch:
     types: [preview-environment]