ci: update workflows to follow our new guidelines for gh actions (#1250)

tj098895 · web-flow · commit b2630f2343c4 · 2025-11-26T12:37:31.000+01:00
minimize permissions needed, differentiate between event based and reusable workflows Refs: equinor/ecalc-internal#1253
diff --git a/.github/workflows/ensure-code-quality.yml b/.github/workflows/ensure-code-quality.yml
@@ -1,16 +1,18 @@
-name: Pre CI
+name: Ensure Code Quality
 
 on:
-  # Workflow dispatch is used for manual triggers
   workflow_dispatch:
-  # Workflow call is used for called from another workflow
   workflow_call:
 
+permissions: {}
+
 env:
   UV_SYSTEM_PYTHON: 1
 
 jobs:
-  pre-commit: # Static analyzers, formatters and verifying pre-commit hooks has been run for both API and Web
+  run-pre-commit-hooks:
+    permissions:
+      contents: read
     name: Build & Run Pre Commit hooks to verify code structure, quality etc. from pre-commit hooks
     runs-on: ubuntu-24.04
     steps:
diff --git a/.github/workflows/on-push-any-branch.yml b/.github/workflows/on-push-any-branch.yml
@@ -1,4 +1,4 @@
-name: "On push to any branch"
+name: "On push to any branch (not main)"
 
 on:
   push:
@@ -7,19 +7,29 @@ on:
     tags-ignore:
       - '**'
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  pre-ci:
-    uses: ./.github/workflows/pre-ci.yml
+  ensure-code-quality:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/ensure-code-quality.yml
 
-  lib-ci:
-    uses: ./.github/workflows/lib-ci.yml
+  test-library:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/test-library.yml
 
-  examples-ci:
-    uses: ./.github/workflows/examples-ci.yml
+  test-example-notebooks:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/test-example-notebooks.yml
 
-  docs-ci:
-    uses: ./.github/workflows/docs-ci.yml
+  test-docs:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/test-docs.yml
diff --git a/.github/workflows/on-push-main-branch.yml b/.github/workflows/on-push-main-branch.yml
@@ -1,9 +1,11 @@
-name: "Main CI/CD"
+name: "On push to main"
 on:
   push:
     branches:
       - main
 
+permissions: {}
+
 jobs:
 
   # NOTE: This job is needed in order to register a deployment in github (for a given environment), here libecalc-test. We need that in order
@@ -16,14 +18,20 @@ jobs:
       - name: dummy
         run: echo "Deployed"
 
-  pre-ci:
-    uses: ./.github/workflows/pre-ci.yml
+  ensure-code-quality:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/ensure-code-quality.yml
 
-  lib-ci:
-    uses: ./.github/workflows/lib-ci.yml
+  test-library:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/test-library.yml
 
-  docs-publish:
-    uses: ./.github/workflows/docs-publish.yml
+  publish-docs:
+    permissions:
+      contents: write
+    uses: ./.github/workflows/publish-docs.yml
     secrets: inherit
 
 #  trigger-external-workflow:
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -1,16 +1,18 @@
-name: Generate documentation
+name: Generate and publish documentation
 
 on:
-  # Workflow dispatch is used for manual triggers
   workflow_dispatch:
-  # Workflow call is used for called from another workflow
   workflow_call:
 
+permissions: {}
+
 env:
   GITHUB_PAGES_BRANCH: gh-pages
 
 jobs:
   publish-docs:
+    permissions:
+      contents: write  # Needed to push to gh-pages branch
     runs-on: ubuntu-24.04
 
     environment:
diff --git a/.github/workflows/publish-libecalc.yml b/.github/workflows/publish-libecalc.yml
@@ -16,10 +16,13 @@ on:
   # NOTE!: When using Trusted Publishing to PyPI, we cannot do that from within a reusable workflow, therefore
   # we make it independent, and trigger it with published event from release-please workflow, instead of calling explicitly.
 
+permissions: {}
+
 jobs:
-  check-release-created:
+  check-release-created:  # Parses JSON file from release-please workflow to see if a release was created
     permissions:
       actions: read # to dl artifacts from triggering workflow
+      contents: read
     runs-on: ubuntu-24.04
     steps:
       - name: Download release-please outputs
@@ -38,7 +41,7 @@ jobs:
           echo "release_created=$(cat outputs.json | jq -r '.release_created')" >> $GITHUB_OUTPUT
     outputs:
       release-created: ${{ steps.release-created.outputs.release_created }}
-  publish:
+  publish-libecalc-to-pypi:
     needs: check-release-created
     if: ${{ needs.check-release-created.outputs.release-created == 'true' }}
     environment:
@@ -48,6 +51,7 @@ jobs:
       #url: https://test.pypi.org/p/libecalc  # NOTE: If/when we need to test publishing etc to PyPI, we can use Test PyPI
     permissions:
       id-token: write  # Required for Trusted Publishing to PyPI, the pypa action uses this
+      contents: read
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -1,15 +1,20 @@
 name: release-please
 
 on:
-  workflow_dispatch: # Workflow dispatch is used for manual triggers.
+  workflow_dispatch:
   workflow_run:
-    workflows: [ "Main CI/CD" ]
+    workflows: [ "On push to main" ]
     types:
       - completed
 
+permissions: {}
+
 jobs:
   release-please:
-    permissions: write-all
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
     runs-on: ubuntu-24.04
     steps:
       - uses: googleapis/release-please-action@v4
@@ -23,6 +28,8 @@ jobs:
 
   create-output-artifact:
     needs: release-please
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
     steps:
       - name: Create output directory
diff --git a/.github/workflows/test-docs.yml b/.github/workflows/test-docs.yml
@@ -1,13 +1,15 @@
-name: Test Docs
+name: Build and Test Docs
 
 on:
-  # Workflow dispatch is used for manual triggers
   workflow_dispatch:
-  # Workflow call is used for called from another workflow
   workflow_call:
 
+permissions: {}
+
 jobs:
-  publish-docs:
+  build-docs:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
 
     steps:
diff --git a/.github/workflows/test-example-notebooks.yml b/.github/workflows/test-example-notebooks.yml
@@ -1,12 +1,14 @@
-name: Example Notebooks CI
+name: Test Example Notebooks
 on:
-  # Workflow dispatch is used for manual triggers
   workflow_dispatch:
-  # Workflow call is used for called from another workflow
   workflow_call:
 
+permissions: {}
+
 jobs:
-  run-tests:
+  test-example-notebooks:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
diff --git a/.github/workflows/test-library.yml b/.github/workflows/test-library.yml
@@ -1,13 +1,14 @@
-name: CLI CI (Build and test)
+name: Test Library
 on:
-  # Workflow dispatch is used for manual triggers
   workflow_dispatch:
-  # Workflow call is used for called from another workflow
   workflow_call:
 
-# TODO: BuildX and publish to use as in order for web to always be able to fetch image to matching branch?
+permissions: {}
+
 jobs:
-  run-tests:
+  test-library:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
