Skip to content

Commit a704abc

Browse files
sapphi-redsapphi-red
authored
ci: avoid passing write permissions to oz (#21767)
1 parent 2540ed0 commit a704abc

File tree

2 files changed

+38
-16
lines changed

2 files changed

+38
-16
lines changed

.github/workflows/clarity-label.yml

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,17 @@ on:
55
types: [opened, edited]
66

77
jobs:
8-
label-clarity:
8+
evaluate-clarity:
99
if: github.event.issue.user.login != 'renovate[bot]'
1010
runs-on: ubuntu-latest
1111
permissions:
1212
contents: read
13-
issues: write
14-
pull-requests: write
13+
issues: read
14+
pull-requests: read
15+
outputs:
16+
agent_output: ${{ steps.agent.outputs.agent_output }}
17+
number: ${{ steps.description.outputs.number }}
18+
is_pr: ${{ steps.description.outputs.is_pr }}
1519
steps:
1620
- name: Get description
1721
id: description
@@ -72,13 +76,20 @@ jobs:
7276
warp_api_key: ${{ secrets.WARP_API_KEY }}
7377
profile: ${{ vars.WARP_AGENT_PROFILE || '' }}
7478

79+
apply-label:
80+
needs: evaluate-clarity
81+
if: needs.evaluate-clarity.outputs.agent_output
82+
runs-on: ubuntu-latest
83+
permissions:
84+
issues: write
85+
pull-requests: write
86+
steps:
7587
- name: Apply clarity label
76-
if: steps.agent.outputs.agent_output
7788
uses: actions/github-script@v8
7889
env:
79-
AGENT_OUTPUT: ${{ steps.agent.outputs.agent_output }}
80-
ISSUE_NUMBER: ${{ steps.description.outputs.number }}
81-
IS_PR: ${{ steps.description.outputs.is_pr }}
90+
AGENT_OUTPUT: ${{ needs.evaluate-clarity.outputs.agent_output }}
91+
ISSUE_NUMBER: ${{ needs.evaluate-clarity.outputs.number }}
92+
IS_PR: ${{ needs.evaluate-clarity.outputs.is_pr }}
8293
with:
8394
script: |
8495
const output = process.env.AGENT_OUTPUT;
@@ -147,10 +158,9 @@ jobs:
147158
core.info(`Applied label "${newLabel}" — reason: ${result.reason}`);
148159
149160
- name: Write result to summary
150-
if: steps.agent.outputs.agent_output
151161
uses: actions/github-script@v8
152162
env:
153-
AGENT_OUTPUT: ${{ steps.agent.outputs.agent_output }}
163+
AGENT_OUTPUT: ${{ needs.evaluate-clarity.outputs.agent_output }}
154164
with:
155165
script: |
156166
const output = process.env.AGENT_OUTPUT;
@@ -168,7 +178,7 @@ jobs:
168178
}
169179
} catch (e) {}
170180
}
171-
181+
172182
if (agentText) {
173183
await core.summary
174184
.addHeading('Clarity Label')

.github/workflows/issue-template-check.yml

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,20 @@ on:
55
types: [opened]
66

77
jobs:
8-
check-issue:
8+
evaluate-issue:
99
if: >-
1010
(contains(github.event.issue.labels.*.name, 'pending triage') ||
1111
contains(github.event.issue.labels.*.name, 'documentation')) &&
1212
!github.event.issue.pull_request
1313
runs-on: ubuntu-latest
1414
permissions:
1515
contents: read
16-
issues: write
16+
issues: read
17+
pull-requests: read
18+
outputs:
19+
agent_output: ${{ steps.agent.outputs.agent_output }}
20+
template_type: ${{ steps.detect.outputs.template_type }}
21+
skip: ${{ steps.detect.outputs.skip }}
1722
steps:
1823
- uses: actions/checkout@v6
1924

@@ -94,12 +99,19 @@ jobs:
9499
warp_api_key: ${{ secrets.WARP_API_KEY }}
95100
profile: ${{ vars.WARP_AGENT_PROFILE || '' }}
96101

102+
post-results:
103+
needs: evaluate-issue
104+
if: needs.evaluate-issue.outputs.skip == 'false' && needs.evaluate-issue.outputs.agent_output
105+
runs-on: ubuntu-latest
106+
permissions:
107+
contents: read
108+
issues: write
109+
steps:
97110
- name: Write result to summary
98-
if: steps.detect.outputs.skip == 'false' && steps.agent.outputs.agent_output
99111
uses: actions/github-script@v8
100112
env:
101-
TEMPLATE_TYPE: ${{ steps.detect.outputs.template_type }}
102-
AGENT_OUTPUT: ${{ steps.agent.outputs.agent_output }}
113+
TEMPLATE_TYPE: ${{ needs.evaluate-issue.outputs.template_type }}
114+
AGENT_OUTPUT: ${{ needs.evaluate-issue.outputs.agent_output }}
103115
with:
104116
script: |
105117
const output = process.env.AGENT_OUTPUT;
@@ -118,7 +130,7 @@ jobs:
118130
}
119131
} catch (e) {}
120132
}
121-
133+
122134
if (agentText) {
123135
await core.summary
124136
.addHeading(`Issue Template Check (${templateType})`)

0 commit comments

Comments
 (0)