From fe787e6a6650e6d73c10822ecb0737ff23736e45 Mon Sep 17 00:00:00 2001
From: Olivier Tassinari <olivier.tassinari@gmail.com>
Date: Wed, 5 Oct 2022 23:23:40 +0200
Subject: [PATCH] improve

---
 .github/workflows/check-if-pr-has-label.yml | 10 +++++++---
 .github/workflows/issue-mark-duplicate.yml  |  6 +++---
 .github/workflows/l10n.yml                  |  6 +++++-
 .github/workflows/maintenance.yml           |  5 +++--
 .github/workflows/no-response.yml           |  5 +++++
 .github/workflows/support-stackoverflow.yml |  4 +++-
 .github/workflows/vale-action.yml           |  4 ++++
 7 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/check-if-pr-has-label.yml b/.github/workflows/check-if-pr-has-label.yml
index 7edb1e78fd389..763a646737dc1 100644
--- a/.github/workflows/check-if-pr-has-label.yml
+++ b/.github/workflows/check-if-pr-has-label.yml
@@ -4,13 +4,17 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled]
 
+permissions:
+  contents: read
+
 jobs:
-  test-label-applied:
-  # Tests that label is added on the PR
+  test-label-applied: # Tests that label is added on the PR
+    permissions:
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
       - uses: mnajdova/github-action-required-labels@v2.1
         with:
           mode: minimum
           count: 1
-          labels: ""
\ No newline at end of file
+          labels: ''
diff --git a/.github/workflows/issue-mark-duplicate.yml b/.github/workflows/issue-mark-duplicate.yml
index c11fc55d4172e..0f74891c43346 100644
--- a/.github/workflows/issue-mark-duplicate.yml
+++ b/.github/workflows/issue-mark-duplicate.yml
@@ -4,14 +4,14 @@ on:
   issue_comment:
     types: [created]
 
-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions:
   contents: read
 
 jobs:
   mark-duplicate:
     permissions:
-      issues: write  # for actions-cool/issues-helper to update issues
-      pull-requests: write  # for actions-cool/issues-helper to update PRs
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: mark-duplicate
diff --git a/.github/workflows/l10n.yml b/.github/workflows/l10n.yml
index f592f8c8cb081..1168dce7972b9 100644
--- a/.github/workflows/l10n.yml
+++ b/.github/workflows/l10n.yml
@@ -6,9 +6,14 @@ on:
       - master
       - next
 
+permissions:
+  contents: read
+
 jobs:
   # Tests dev-only scripts across all supported dev environments
   update-l10n:
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - run: echo "${{ github.actor }}"
@@ -22,7 +27,6 @@ jobs:
         env:
           # Don't need playwright in this job
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: yarn l10n --report
         env:
           # Don't need playwright in this job
diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
index 030722599811b..8b90ffc77fffa 100644
--- a/.github/workflows/maintenance.yml
+++ b/.github/workflows/maintenance.yml
@@ -1,4 +1,5 @@
 name: 'Maintenance'
+
 on:
   # So that PRs touching the same files as the push are updated
   push:
@@ -14,13 +15,13 @@ on:
       - next
     types: [synchronize]
 
-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions:
   contents: read
 
 jobs:
   main:
     permissions:
-      pull-requests: write  # for eps1lon/actions-label-merge-conflict to label PRs
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: check if prs are dirty
diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml
index 40be2bbfda4f6..3100803f87ca5 100644
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@@ -9,8 +9,13 @@ on:
     # Schedule for five minutes after the hour, every hour
     - cron: '5 * * * *'
 
+permissions:
+  contents: read
+
 jobs:
   noResponse:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: lee-dohm/no-response@v0.5.0
diff --git a/.github/workflows/support-stackoverflow.yml b/.github/workflows/support-stackoverflow.yml
index 109d45485e8af..e647845ddfc29 100644
--- a/.github/workflows/support-stackoverflow.yml
+++ b/.github/workflows/support-stackoverflow.yml
@@ -6,10 +6,12 @@ on:
     types: [labeled, unlabeled, reopened]
 
 permissions:
-  issues: write
+  contents: read
 
 jobs:
   mark-support:
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/support-requests@v2
diff --git a/.github/workflows/vale-action.yml b/.github/workflows/vale-action.yml
index faff771ac11f5..2f0241ec872cf 100644
--- a/.github/workflows/vale-action.yml
+++ b/.github/workflows/vale-action.yml
@@ -1,6 +1,10 @@
 name: reviewdog
+
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   vale:
     name: runner / vale