From ec8aa5e6cb705eabae0d5629c879c49179f4e33c Mon Sep 17 00:00:00 2001
From: Hidetake Iwata <int128@gmail.com>
Date: Sun, 2 Apr 2023 17:01:13 +0900
Subject: [PATCH] Add permissions to doc and workflows (#631)

* Add permissions

* Update e2e-target.yaml

* Update README.md

* Fix e2e permissions
---
 .github/workflows/e2e-target.yaml |  4 ++++
 .github/workflows/e2e.yaml        |  8 +++++++
 .github/workflows/release.yaml    |  2 ++
 .github/workflows/ts.yaml         |  3 +++
 README.md                         | 37 ++++++++++++++++++++++++++-----
 5 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/e2e-target.yaml b/.github/workflows/e2e-target.yaml
index c08cc512..0ccda63d 100644
--- a/.github/workflows/e2e-target.yaml
+++ b/.github/workflows/e2e-target.yaml
@@ -12,6 +12,10 @@ jobs:
     name: test / ${{ github.event_name }} / ${{ github.event.action }}
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      actions: read
+      checks: write
+      contents: read
     steps:
       - name: Event
         uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # v6.4.0
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index bd9aa515..d589bd85 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -7,6 +7,9 @@ on:
     types:
       - completed
   pull_request:
+    types:
+      - opened
+      - closed
   push:
     branches:
       - main
@@ -18,6 +21,11 @@ jobs:
     name: test / ${{ github.event_name }} / ${{ github.event.action }}
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      pull-requests: read
     steps:
       - name: Event
         uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # v6.4.0
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 888b8670..25cb9b1f 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -14,6 +14,8 @@ jobs:
   tag:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
       - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
diff --git a/.github/workflows/ts.yaml b/.github/workflows/ts.yaml
index d4ed49e8..5f12e04a 100644
--- a/.github/workflows/ts.yaml
+++ b/.github/workflows/ts.yaml
@@ -39,6 +39,9 @@ jobs:
   generate:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
       - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
diff --git a/README.md b/README.md
index bc2a84ca..4c5b29a4 100644
--- a/README.md
+++ b/README.md
@@ -201,13 +201,10 @@ It has the following tags:
 
 ### Enable job or step metrics
 
-Note that this action calls GitHub GraphQL API to get jobs and steps of a workflow run.
-It may cause the rate exceeding error if too many workflows are run.
-It may also increase the cost of custom metrics in Datadog.
-
 To send the metrics of jobs and steps:
 
 ```yaml
+    steps:
       - uses: int128/datadog-actions-metrics@v1
         with:
           datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
@@ -218,6 +215,7 @@ To send the metrics of jobs and steps:
 To send the metrics of jobs and steps on the default branch only:
 
 ```yaml
+    steps:
       - uses: int128/datadog-actions-metrics@v1
         with:
           datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
@@ -225,6 +223,18 @@ To send the metrics of jobs and steps on the default branch only:
           collect-step-metrics: ${{ github.event.workflow_run.head_branch == github.event.repository.default_branch }}
 ```
 
+This action calls GitHub GraphQL API to get jobs and steps of the current workflow run.
+Note that it may cause the rate exceeding error if too many workflows are run.
+
+If the job or step metrics is enabled, this action requires the following permissions:
+
+```yaml
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+```
+
 
 ## Metrics for pull_request event
 
@@ -250,7 +260,6 @@ It has the following tags:
 - `base_ref`
 - `head_ref`
 
-
 ### Pull request (closed)
 
 This action sends the following metrics on `closed` type.
@@ -285,6 +294,15 @@ It has the following tags:
   - Label(s) of a pull request
   - Available if `send-pull-request-labels` is set
 
+### Permissions
+
+For pull_request event, this action requires the following permissions:
+
+```yaml
+    permissions:
+      pull-requests: read
+```
+
 
 ## Metrics for push event
 
@@ -320,6 +338,15 @@ It has the following tags:
 
 It is useful for monitoring self-hosted runners.
 
+### Permissions
+
+For schedule event, this action requires the following permissions:
+
+```yaml
+    permissions:
+      actions: read
+```
+
 
 ## Metrics for all supported events