ci(workflows): improve security and update actions

- set top-level explicit permissions for each GitHub Actions workflow for improved security and deduplication of permissions. - add `persist-credentials: false` to actions/checkout for improved security - see https://github.com/actions/checkout#checkout-v4 - update actions/checkout from v4 to v5
2026-04-18 05:20:43 +00:00 · 2025-11-06 14:40:54 +01:00
parent 2d64cdad7c
commit 6557514954
13 changed files with 110 additions and 90 deletions
--- a/.github/workflows/chore-pr-comments.yml
+++ b/.github/workflows/chore-pr-comments.yml
@@ -3,20 +3,13 @@ on:
  pull_request_target:
    types:
      - labeled
+
+permissions:
+  pull-requests: write
+
 jobs:
  add-comment:
    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-      contents: read
-      actions: none
-      checks: none
-      deployments: none
-      issues: none
-      packages: none
-      repository-projects: none
-      security-events: none
-      statuses: none
    strategy:
      matrix:
        include: