lynx-family · colinaaa · May 17, 2025 · May 17, 2025 · May 17, 2025 · May 17, 2025
diff --git a/.github/workflows/deploy-main.yml b/.github/workflows/deploy-main.yml
@@ -7,6 +7,9 @@ on:
       "release/*",
     ]
 
+# Set default minimum permissions to prevent unnecessary access
+permissions: {}
+
 env:
   CI: 1
   TURBO_TELEMETRY_DISABLED: 1
@@ -18,6 +21,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     if: github.repository == 'lynx-family/lynx-stack'
+    permissions:
+      contents: read
+      actions: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
@@ -55,11 +61,13 @@ jobs:
       cancel-in-progress: true
     uses: ./.github/workflows/workflow-build.yml
     if: github.repository == 'lynx-family/lynx-stack'
+    permissions: {}
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   benchmark:
     needs: build-all
     uses: ./.github/workflows/workflow-bench.yml
+    permissions: {}
   bundle-analysis:
     permissions: {}
     needs: build-all
@@ -125,7 +133,7 @@ jobs:
         id: date
         run: echo "::set-output name=date::$(date -u +'%Y-%m-%d %H:%M:%S')"
       - name: attempt to release
-        uses: changesets/action@v1
+        uses: changesets/action@e0538e686673de0265c8a3e2904b8c76beaa43fd # v1.5.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -184,6 +192,7 @@ jobs:
     needs: build-all
     if: github.repository == 'lynx-family/lynx-stack'
     uses: ./.github/workflows/workflow-website.yml
+    permissions: {}
   website-deploy:
     needs: website-build
     if: github.repository == 'lynx-family/lynx-stack'
@@ -192,6 +201,7 @@ jobs:
     permissions:
       pages: write # to deploy to Pages
       id-token: write # to verify the deployment originates from an appropriate source
+      contents: read
 
     # Deploy to the github-pages environment
     environment:

diff --git a/.github/workflows/nodejs-dependencies.yml b/.github/workflows/nodejs-dependencies.yml
@@ -7,6 +7,10 @@ name: NodeJS Dependencies
       - package.json
       - pnpm-lock.yaml
       - "**/package.json"
+
+# Set minimum permissions to prevent unnecessary access
+permissions: {}
+
 env:
   CI: 1
   TURBO_TELEMETRY_DISABLED: 1
@@ -16,6 +20,8 @@ concurrency:
 jobs:
   sherif:
     runs-on: lynx-ubuntu-24.04-medium
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -9,6 +9,9 @@ on:
       CODECOV_TOKEN:
         required: true
 
+# Set minimum permissions to prevent unnecessary access
+permissions: {}
+
 env:
   CI: 1
   TURBO_TELEMETRY_DISABLED: 1
@@ -18,6 +21,8 @@ concurrency:
 jobs:
   test:
     runs-on: lynx-ubuntu-24.04-xlarge
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
@@ -46,6 +51,8 @@ jobs:
 
   rustfmt:
     runs-on: lynx-ubuntu-24.04-medium
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -3,9 +3,15 @@ on:
   schedule:
     - cron: "30 17 * * *"
 
+# Set minimum permissions to prevent unnecessary access
+permissions: {}
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write # Need write permission to mark and close stale issues
+      pull-requests: write # Need write permission to mark and close stale PRs
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         if: github.repository == 'lynx-family/lynx-stack'

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,6 +11,7 @@ permissions:
   repository-projects: read
   contents: read
   statuses: read
+
 env:
   CI: 1
   TURBO_TELEMETRY_DISABLED: 1
@@ -58,8 +59,6 @@ jobs:
     needs: build
     uses: ./.github/workflows/workflow-test.yml
     permissions:
-      contents: read
-      pull-requests: read
       statuses: write
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
@@ -73,6 +72,7 @@ jobs:
   playwright-linux:
     needs: build
     uses: ./.github/workflows/workflow-test.yml
+
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     with:
@@ -87,6 +87,7 @@ jobs:
   playwright-linux-all-on-ui:
     needs: build
     uses: ./.github/workflows/workflow-test.yml
+
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     with:
@@ -102,6 +103,7 @@ jobs:
   test-api:
     needs: build
     uses: ./.github/workflows/workflow-test.yml
+
     with:
       runs-on: lynx-ubuntu-24.04-medium
       run: |
@@ -126,10 +128,6 @@ jobs:
   test-publish:
     needs: build
     uses: ./.github/workflows/workflow-test.yml
-    permissions:
-      contents: read
-      pull-requests: read
-      statuses: read
     with:
       runs-on: lynx-ubuntu-24.04-medium
       run: |

diff --git a/.github/workflows/workflow-test.yml b/.github/workflows/workflow-test.yml
@@ -12,6 +12,7 @@ on:
       run:
         required: true
         type: string
+        description: "Command run parameters, limited to predefined test commands"
       is-web:
         required: false
         type: boolean
@@ -21,12 +22,16 @@ on:
         type: string
         default: "unittest"
 
+# Set minimum permissions to prevent unnecessary access
+permissions: {}
+
 env:
   CI: 1
   TURBO_TELEMETRY_DISABLED: 1
 jobs:
   check:
     runs-on: ${{ inputs.runs-on }}
+    permissions: {}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with: