[GitHub] Update workflows for new permission rules (#4046)

* Update update-api-files.yml

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update stress-test-ui-tests.yml

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update breaking-change-check.yml

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update update-api-files.yml

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update update-api-files.yml

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update beta API files

* Update ci.yml

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update ci.yml

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update GH permissions for CI

* Update permissions for workflows.

* Change files

* Duplicate change files for beta release

* Delete test.txt

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update permission with read-all for testing

* Update permissions in deploy workflow

* Add read-all permissions to workflows

* Update permissions in npm-release-publish.yml

* Update update-api-files.yml

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Update permissions in ci.yml file

* Update permissions in CI workflow

* Update permissions for pull requests

* Delete change-beta/@azure-communication-react-1e9ee08b-b0d6-4834-adc3-3e041756647f.json

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Delete change/@azure-communication-react-1e9ee08b-b0d6-4834-adc3-3e041756647f.json

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>

* Change files

* Duplicate change files for beta release

---------

Signed-off-by: Patrick Latter <73612854+palatter@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: palatter

.github/workflows/alpha-release.yml

@@ -13,7 +13,7 @@ jobs:
   build_and_test:
     name: Build and Test
     runs-on: ubuntu-latest
-
+    permissions: read-all
     steps:
       # Check-out repo
       - uses: actions/checkout@v3

.github/workflows/breaking-change-check.yml

@@ -20,6 +20,7 @@ jobs:
   get_matrix:
     name: Load CI Matrix Details
     runs-on: ubuntu-latest
+    permissions: read-all
     outputs:
       matrix: ${{ steps.get-matrix.outputs.matrix }}
     steps:
@@ -39,6 +40,7 @@ jobs:
     needs: get_matrix
     name: 'Check Breaking Changes (${{ matrix.flavor }})'
     runs-on: ubuntu-latest
+    permissions: read-all
     strategy:
       matrix: ${{ fromJSON(needs.get_matrix.outputs.matrix) }}
     steps:

.github/workflows/ci.yml

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   # get matrix for ci-jobs
   get_matrix:
@@ -128,6 +130,8 @@ jobs:
     if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.base.ref, 'release/') }}
     name: 'Jest Test Coverage (${{ matrix.flavor }})'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     strategy:
       matrix: ${{ fromJSON(needs.get_matrix.outputs.matrix) }}
     steps:
@@ -261,6 +265,8 @@ jobs:
     needs: get_matrix
     name: 'Call Composite automation test (${{ matrix.flavor }})'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     strategy:
       matrix: ${{ fromJSON(needs.get_matrix.outputs.matrix) }}
     steps:
@@ -339,6 +345,8 @@ jobs:
     needs: get_matrix
     name: 'Chat Composite automation test (${{ matrix.flavor }})'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     strategy:
       matrix: ${{ fromJSON(needs.get_matrix.outputs.matrix) }}
     steps:
@@ -417,6 +425,8 @@ jobs:
     needs: get_matrix
     name: 'Call With Chat Composite automation test (${{ matrix.flavor }})'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     strategy:
       matrix: ${{ fromJSON(needs.get_matrix.outputs.matrix) }}
     steps:
@@ -659,6 +669,8 @@ jobs:
     needs: get_matrix
     name: 'Build And Test Static HTML Composites Sample (${{ matrix.flavor }})'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     strategy:
       matrix: ${{ fromJSON(needs.get_matrix.outputs.matrix) }}
     steps:
@@ -721,6 +733,8 @@ jobs:
     needs: get_matrix
     name: 'Build And Test Component+Binding Examples (${{ matrix.flavor }})'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     strategy:
       matrix: ${{ fromJSON(needs.get_matrix.outputs.matrix) }}
     steps:
@@ -781,6 +795,8 @@ jobs:
 
   compare_base_bundle_stats:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.base.ref, 'release/') }}
     name: Compare bundle size from pr head ref to base ref - ${{ matrix.app }}
     needs: [build_calling_sample, build_chat_sample, build_call_with_chat_sample]
@@ -861,6 +877,8 @@ jobs:
 
   check_failure:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     needs:
       [build_packages, build_calling_sample, build_chat_sample, build_static_html_composites_sample, build_storybook]
     if: failure() && github.ref == 'refs/heads/main'

.github/workflows/create-api-view-feature-level.yml

@@ -16,6 +16,7 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions: read-all
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE so job can access it
       - uses: actions/checkout@v3

.github/workflows/create-prerelease-branch.yml

@@ -32,7 +32,7 @@ jobs:
   create_pre-release:
     name: Bump versions and make changelog for release
     runs-on: ubuntu-latest
-
+    permissions: read-all
     steps:
       # Check-out repo
       - uses: actions/checkout@v3

.github/workflows/create-release-branch.yml

@@ -19,6 +19,7 @@ jobs:
     if: ${{ startsWith(github.event.inputs.branch, 'prerelease') }}
     name: Create release branch
     runs-on: ubuntu-latest
+    permissions: read-all
     steps:
       # Check-out repo
       - uses: actions/checkout@v3

.github/workflows/deploy-azure-webapps.yml

@@ -15,14 +15,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  # Needed for Azure login
-  id-token: write
+permissions: read-all
 
 jobs:
   build-and-deploy-samples:
     name: Build and Deploy samples
     runs-on: ubuntu-latest
+    permissions:
+      # Needed for Azure login
+      id-token: write
     environment: production
     steps:
       - uses: actions/checkout@v3
@@ -86,6 +87,8 @@ jobs:
 
   check_failure:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     needs: [build-and-deploy-samples]
     if: failure() && github.ref == 'refs/heads/main'
     name: File issue if Azure Deployment failed

.github/workflows/deploy-feature-azure-webapps.yml

@@ -9,14 +9,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  # Needed for Azure login
-  id-token: write
+permissions: read-all
 
 jobs:
   calling:
     name: Build and Deploy Calling App
     runs-on: ubuntu-latest
+    permissions:
+      # Needed for Azure login
+      id-token: write
     environment: staging
     steps:
       - uses: actions/checkout@v3
@@ -56,6 +57,9 @@ jobs:
   chat:
     name: Build and Deploy Chat App
     runs-on: ubuntu-latest
+    permissions:
+      # Needed for Azure login
+      id-token: write
     environment: staging
     steps:
       - uses: actions/checkout@v3
@@ -95,6 +99,9 @@ jobs:
   callwithchat:
     name: Build and Deploy CallWithChat App
     runs-on: ubuntu-latest
+    permissions:
+      # Needed for Azure login
+      id-token: write
     environment: staging
     steps:
       - uses: actions/checkout@v3

.github/workflows/deploy-release-azure-webapps.yml

@@ -13,14 +13,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  # Needed for Azure login
-  id-token: write
+permissions: read-all
 
 jobs:
   calling:
     name: Build and Deploy Calling App
     runs-on: ubuntu-latest
+    permissions:
+      # Needed for Azure login
+      id-token: write
     environment: production
     steps:
       - uses: actions/checkout@v3
@@ -66,6 +67,9 @@ jobs:
   chat:
     name: Build and Deploy Chat App
     runs-on: ubuntu-latest
+    permissions:
+      # Needed for Azure login
+      id-token: write
     environment: production
     steps:
       - uses: actions/checkout@v3
@@ -111,6 +115,9 @@ jobs:
   callwithchat:
     name: Build and Deploy CallWithChat App
     runs-on: ubuntu-latest
+    permissions:
+      # Needed for Azure login
+      id-token: write
     environment: production
     steps:
       - uses: actions/checkout@v3

.github/workflows/deploy-storybook.yml

@@ -13,6 +13,9 @@ jobs:
   build-and-deploy-storybook:
     name: Build and Deploy Storybook
     runs-on: ubuntu-latest
+    permissions: # permissions needed for the deploy-storybook script
+      packages: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3