ci: set necessary token permissions (#2960)

* ci(fonts): set token permission to remove label I've changed [the default permission of the token to read-only](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/) and this is the only place we need write access. * ci(codeql): set token permission to upload result * ci(codeql): set token permission to read actions
2025-10-05 11:18:39 +00:00 · 2021-04-28 03:41:05 +09:00
parent 7578671f43
commit 008c99b415
2 changed files with 8 additions and 0 deletions
--- a/.github/workflows/fonts.yml
+++ b/.github/workflows/fonts.yml
@@ -11,6 +11,9 @@ jobs:
    if: contains(github.event.pull_request.labels.*.name, 'build fonts')
    outputs:
      image: ${{ steps.check-image.outputs.result }}
+    permissions:
+      contents: read
+      pull-requests: write # to remove label

    steps:
    - uses: actions/checkout@v2