Skip to content

Commit a47c3ef

Browse files
committed
[chores] Followed principle of least privilege
Moved pr write permission to caller from find-pr
1 parent abfd78c commit a47c3ef

1 file changed

Lines changed: 7 additions & 2 deletions

File tree

.github/workflows/bot-ci-failure.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ on:
77
- completed
88

99
permissions:
10-
pull-requests: write
10+
pull-requests: read
1111
actions: read
1212
contents: read
1313

@@ -36,7 +36,8 @@ jobs:
3636
local pr_author
3737
pr_author=$(gh pr view "$pr_number" --repo "$REPO" --json author --jq '.author.login' 2>/dev/null || echo "")
3838
if [ -z "$pr_author" ]; then
39-
echo "::warning::Could not fetch PR author for PR #$pr_number"
39+
pr_author="${{ github.event.workflow_run.actor.login }}"
40+
echo "::warning::Could not fetch PR author for PR #$pr_number; falling back to @$pr_author"
4041
fi
4142
echo "number=$pr_number" >> "$GITHUB_OUTPUT"
4243
echo "author=$pr_author" >> "$GITHUB_OUTPUT"
@@ -68,6 +69,10 @@ jobs:
6869
call-ci-failure-bot:
6970
needs: find-pr
7071
if: ${{ needs.find-pr.outputs.pr_number != '' }}
72+
permissions:
73+
actions: read
74+
contents: read
75+
pull-requests: write
7176
uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master
7277
with:
7378
pr_number: ${{ needs.find-pr.outputs.pr_number }}

0 commit comments

Comments
 (0)