chore: top-level workflow permissions

nosborn · nosborn · commit 9ff49f8f9c7f · 2025-06-12T11:57:19.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,38 +12,42 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 concurrency:
-  group: ci-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - name: Clone the repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
-      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
+      - name: Perform pre-commit checks
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
         env:
           SKIP: no-commit-to-branch
 
   local-test:
     needs: pre-commit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Test problem matcher
+      - name: Clone the repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Test the problem matcher
         id: expect-failure
         uses: ./
         with:
           config_file: .markdownlintrc
           files: .
           rules: examples/rules/custom.js
         continue-on-error: true
-      - if: ${{ steps.expect-failure.outcome != 'failure' }}
+      - name: Check the result of the problem matcher test
+        if: ${{ steps.expect-failure.outcome != 'failure' }}
         run: |
           exit 1
       - name: Test ignore_files
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,15 +7,19 @@ on:
     tags:
       - v*.*.*
 
-concurrency: ci-release
+permissions:
+  contents: write
+
+concurrency:
+  group: ${{ github.workflow }}
 
 jobs:
   create-release:
-    permissions:
-      contents: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+      - name: Clone the repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Create the release
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -10,30 +10,33 @@ on:
       - main
   branch_protection_rule: {}
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
 
 jobs:
   analysis:
-    name: Scorecard analysis
     permissions:
       id-token: write
       security-events: write
     if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout code
+      - name: Clone the repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-
-      - name: Run analysis
+      - name: Perform analysis
         uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           publish_results: true
           results_file: results.sarif
           results_format: sarif
-
       - name: Upload to code scanning
         uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.29.0
         with:
diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml
@@ -8,8 +8,15 @@ on:
       - published
       - edited
 
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}
+
 jobs:
   actions-tagger:
     runs-on: ubuntu-latest
     steps:
-      - uses: Actions-R-Us/actions-tagger@330ddfac760021349fef7ff62b372f2f691c20fb # v2.03.
+      - uses: Actions-R-Us/actions-tagger@330ddfac760021349fef7ff62b372f2f691c20fb # v2.0.3
