Add permissions in examples

dflook · dflook · commit 04a89c3c8c71 · 2023-02-02T23:00:32.000Z
GitHub as decided to break all existing examples by changing the default premissions
diff --git a/README.md b/README.md
@@ -51,6 +51,10 @@ name: Create terraform plan
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
@@ -77,6 +81,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   apply:
     runs-on: ubuntu-latest
diff --git a/example_workflows/apply_plan.yaml b/example_workflows/apply_plan.yaml
@@ -5,6 +5,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
diff --git a/example_workflows/create_plan.yaml b/example_workflows/create_plan.yaml
@@ -3,6 +3,10 @@ name: Create terraform plan
 on:
   - pull_request
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
diff --git a/example_workflows/validate.yaml b/example_workflows/validate.yaml
@@ -2,8 +2,8 @@ name: Validate changes
 
 on:
   push:
-    branches:
-      - '!main'
+    branches-ignore:
+      - 'main'
 
 jobs:
   fmt-check:
diff --git a/image/Dockerfile-base b/image/Dockerfile-base
@@ -27,7 +27,7 @@ RUN apt-get update  \
     wget \
     gpg \
     gpg-agent \
-    dirmngr \    
+    dirmngr \
  && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir -p $TF_PLUGIN_CACHE_DIR
diff --git a/terraform-apply/README.md b/terraform-apply/README.md
@@ -278,7 +278,8 @@ These input values must be the same as any `terraform-plan` for the same configu
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   ```
 
-  The token provided by GitHub Actions will work with the default permissions.
+  The token provided by GitHub Actions has default permissions at GitHub's whim. You can see what it is for your repo under the repo settings.
+
   The minimum permissions are `pull-requests: write`.
   It will also likely need `contents: read` so the job can checkout the repo.
 
@@ -401,6 +402,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   apply:
     runs-on: ubuntu-latest
@@ -516,6 +521,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
diff --git a/terraform-plan/README.md b/terraform-plan/README.md
@@ -195,7 +195,8 @@ The [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   ```
 
-  The token provided by GitHub Actions will work with the default permissions.
+  The token provided by GitHub Actions has default permissions at GitHub's whim. You can see what it is for your repo under the repo settings.
+
   The minimum permissions are `pull-requests: write`.
   It will also likely need `contents: read` so the job can checkout the repo.
 
@@ -385,6 +386,10 @@ name: PR Plan
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
@@ -419,6 +424,10 @@ env:
   TERRAFORM_CLOUD_TOKENS: terraform.example.com=${{ secrets.TF_REGISTRY_TOKEN }}
   TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }}
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
@@ -451,6 +460,10 @@ name: Terraform Plan
 
 on: [issue_comment]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'terraform plan') }}
