ci(github): set permissions in workflows

remarkablemark · web-flow · commit 6b59415630a8 · 2025-08-04T19:29:25.000-04:00
diff --git a/.github/workflows/assign-reviewer.yml b/.github/workflows/assign-reviewer.yml
@@ -1,18 +1,22 @@
 name: Assign Reviewer
 on: pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   assign-reviewer:
     runs-on: ubuntu-latest
     steps:
       - name: Assign reviewer
         if: >
-          startsWith(github.event.pull_request.title, 'build(deps-dev): bump ') == false &&
-          contains(github.event.action, 'opened')
+          github.actor != 'dependabot[bot]'
+          && startsWith(github.event.pull_request.title, 'build(deps-dev): bump ') == false
+          && contains(github.event.action, 'opened')
         run: >
           gh pr edit ${{ github.event.pull_request.html_url }}
           --add-assignee ${{ github.event.pull_request.user.login }}
           --add-reviewer remarkablemark
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ github.token }}
         continue-on-error: true
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,6 +1,9 @@
 name: build
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
@@ -1,6 +1,9 @@
 name: commitlint
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/size-limit.yml b/.github/workflows/size-limit.yml
@@ -3,6 +3,10 @@ on:
   pull_request:
     branches:
       - master
+
+permissions:
+  pull-requests: write
+
 jobs:
   size:
     runs-on: ubuntu-latest
