docs: Add permissions (#215 by @natterstefan)

natterstefan · amannn · web-flow · commit c91b8fb44985 · 2023-05-16T10:24:56.000+02:00
Co-authored-by: Jan Amann &lt;jan@amann.work&gt;
diff --git a/.github/workflows/lint-pr-title-preview-ignoreLabels.yml b/.github/workflows/lint-pr-title-preview-ignoreLabels.yml
@@ -8,12 +8,15 @@ on:
       - labeled
       - unlabeled
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: 16
       - run: yarn install
diff --git a/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml b/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml
@@ -6,12 +6,15 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: 16
       - run: yarn install
diff --git a/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml b/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml
@@ -6,12 +6,15 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: 16
       - run: yarn install
diff --git a/.github/workflows/lint-pr-title-preview.yml b/.github/workflows/lint-pr-title-preview.yml
@@ -6,12 +6,15 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: 16
       - run: yarn install
diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
@@ -6,12 +6,15 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: 16
       - uses: ./
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,12 +4,18 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  deployments: write
+  issues: write
+  pull-requests: write
+
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: 16
       - run: yarn install
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,12 +6,15 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: 16
       - run: yarn install
@@ -20,7 +23,7 @@ jobs:
   dist:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with: 
           fetch-depth: 0
       - name: Check if `dist/` has been modified.
diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published, edited]
 
+permissions:
+  deployments: write
+
 jobs:
   actions-tagger:
     runs-on: ubuntu-latest
diff --git a/README.md b/README.md
@@ -1,18 +1,18 @@
 # action-semantic-pull-request
 
-This is a GitHub Action that ensures your PR title matches the [Conventional Commits spec](https://www.conventionalcommits.org/). The typical use case is to use this in combination with a tool like [semantic-release](https://github.com/semantic-release/semantic-release) to automate releases.
+This is a GitHub Action that ensures that your pull request titles match the [Conventional Commits spec](https://www.conventionalcommits.org/). Typically, this is used in combination with a tool like [semantic-release](https://github.com/semantic-release/semantic-release) to automate releases.
 
 Used by: [Apache](https://github.com/apache/pulsar) · [Vercel](https://github.com/vercel/ncc) · [Microsoft](https://github.com/microsoft/SynapseML) · [Firebase](https://github.com/firebase/flutterfire) · [AWS](https://github.com/aws-ia/terraform-aws-eks-blueprints) · [Electron](https://github.com/electron/forge) – and [many more](https://github.com/amannn/action-semantic-pull-request/network/dependents).
 
 ## Examples
 
-**Valid PR titles:**
+**Valid pull request titles:**
 - fix: Correct typo
 - feat: Add support for Node.js 18
 - refactor!: Drop support for Node.js 12
 - feat(ui): Add `Button` component
 
-> Note that since PR titles only have a single line, you have to use `!` to indicate breaking changes.
+> Note that since pull request titles only have a single line, you have to use `!` to indicate breaking changes.
 
 See [Conventional Commits](https://www.conventionalcommits.org/) for more examples.
 
@@ -30,6 +30,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Validate PR title
@@ -40,6 +43,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
+See the [event triggers documentation](#event-triggers) below to learn more about what `pull_request_target` means.
+
 ## Configuration
 
 The action works without configuration, however you can provide options for customization.
@@ -102,15 +107,55 @@ feat(ui): Add `Button` component
           # See: https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-commits-parser#headerpattern
           headerPattern: '^(\w*)(?:\(([\w$.\-*/ ]*)\))?: (.*)$'
           headerPatternCorrespondence: type, scope, subject
-          # For work-in-progress PRs you can typically use draft pull requests 
-          # from GitHub. However, private repositories on the free plan don't have 
-          # this option and therefore this action allows you to opt-in to using the 
-          # special "[WIP]" prefix to indicate this state. This will avoid the 
-          # validation of the PR title and the pull request checks remain pending.
-          # Note that a second check will be reported if this is enabled.
+```
+
+### Work-in-progress pull requests
+
+For work-in-progress PRs you can typically use [draft pull requests from GitHub](https://github.blog/2019-02-14-introducing-draft-pull-requests/). However, private repositories on the free plan don't have this option and therefore this action allows you to opt-in to using the special "[WIP]" prefix to indicate this state.
+
+**Example:**
+
+```
+[WIP] feat: Add support for Node.js 18
+```
+
+This will prevent the PR title from being validated, and pull request checks will remain pending.
+
+**Attention**: If you want to use the this feature, you need to grant the `pull-requests: write` permission to the GitHub Action. This is because the action will update the status of the PR to remain in a pending state while `[WIP]` is present in the PR title.
+
+```yml
+name: "Lint PR"
+
+permissions:
+  pull-requests: write
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
           wip: true
 ```
 
+### Legacy configuration for validating single commits
+
+When using "Squash and merge" on a PR with only one commit, GitHub will suggest using that commit message instead of the PR title for the merge commit. As it's easy to commit this by mistake this action supports two configuration options to provide additional validation for this case. 
+
+```yml
+          # If the PR only contains a single commit, the action will validate that
+          # it matches the configured pattern.
+          validateSingleCommit: true
+          # Related to `validateSingleCommit` you can opt-in to validate that the PR
+          # title matches a single commit to avoid confusion.
+          validateSingleCommitMatchesPrTitle: true
+```
+
+However, [GitHub has introduced an option to streamline this behaviour](https://github.blog/changelog/2022-05-11-default-to-pr-titles-for-squash-merge-commit-messages/), so using that instead should be preferred.
+
 ## Event triggers
 
 There are two events that can be used as triggers for this action, each with different characteristics:
@@ -137,6 +182,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Validate PR title
@@ -174,15 +222,3 @@ jobs:
 
 </details>
 
-## Legacy configuration
-
-When using "Squash and merge" on a PR with only one commit, GitHub will suggest using that commit message instead of the PR title for the merge commit and it's easy to commit this by mistake. To help out in this situation this action supports two configuration options. However, [GitHub has introduced an option to streamline this behaviour](https://github.blog/changelog/2022-05-11-default-to-pr-titles-for-squash-merge-commit-messages/), so using that instead should be preferred.
-
-```yml
-          # If the PR only contains a single commit, the action will validate that
-          # it matches the configured pattern.
-          validateSingleCommit: true
-          # Related to `validateSingleCommit` you can opt-in to validate that the PR
-          # title matches a single commit to avoid confusion.
-          validateSingleCommitMatchesPrTitle: true
-```
