Merge pull request #240 from dflook/fix-react

Fix react

README.md

@@ -51,6 +51,10 @@ name: Create terraform plan
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
@@ -77,6 +81,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   apply:
     runs-on: ubuntu-latest

example_workflows/apply_plan.yaml

@@ -5,6 +5,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest

example_workflows/create_plan.yaml

@@ -3,6 +3,10 @@ name: Create terraform plan
 on:
   - pull_request
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest

example_workflows/validate.yaml

@@ -2,8 +2,8 @@ name: Validate changes
 
 on:
   push:
-    branches:
-      - '!main'
+    branches-ignore:
+      - 'main'
 
 jobs:
   fmt-check:

image/Dockerfile-base

@@ -27,7 +27,7 @@ RUN apt-get update  \
     wget \
     gpg \
     gpg-agent \
-    dirmngr \    
+    dirmngr \
  && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir -p $TF_PLUGIN_CACHE_DIR

image/actions.sh

@@ -76,6 +76,12 @@ function setup() {
         exit 1
     fi
 
+    if [[ ! -v TERRAFORM_ACTIONS_GITHUB_TOKEN ]]; then
+      if [[ -v GITHUB_TOKEN ]]; then
+        export TERRAFORM_ACTIONS_GITHUB_TOKEN="$GITHUB_TOKEN"
+      fi
+    fi
+
     if ! github_comment_react +1 2>"$STEP_TMP_DIR/github_comment_react.stderr"; then
         debug_file "$STEP_TMP_DIR/github_comment_react.stderr"
     fi
@@ -102,12 +108,6 @@ function setup() {
 
     detect-tfmask
 
-    if [[ ! -v TERRAFORM_ACTIONS_GITHUB_TOKEN ]]; then
-      if [[ -v GITHUB_TOKEN ]]; then
-        export TERRAFORM_ACTIONS_GITHUB_TOKEN="$GITHUB_TOKEN"
-      fi
-    fi
-
     execute_run_commands
 }
 

terraform-apply/README.md

@@ -278,7 +278,8 @@ These input values must be the same as any `terraform-plan` for the same configu
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   ```
 
-  The token provided by GitHub Actions will work with the default permissions.
+  The token provided by GitHub Actions has default permissions at GitHub's whim. You can see what it is for your repo under the repo settings.
+
   The minimum permissions are `pull-requests: write`.
   It will also likely need `contents: read` so the job can checkout the repo.
 
@@ -401,6 +402,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   apply:
     runs-on: ubuntu-latest
@@ -516,6 +521,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest

terraform-plan/README.md

@@ -195,7 +195,8 @@ The [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   ```
 
-  The token provided by GitHub Actions will work with the default permissions.
+  The token provided by GitHub Actions has default permissions at GitHub's whim. You can see what it is for your repo under the repo settings.
+
   The minimum permissions are `pull-requests: write`.
   It will also likely need `contents: read` so the job can checkout the repo.
 
@@ -385,6 +386,10 @@ name: PR Plan
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
@@ -419,6 +424,10 @@ env:
   TERRAFORM_CLOUD_TOKENS: terraform.example.com=${{ secrets.TF_REGISTRY_TOKEN }}
   TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }}
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
@@ -451,6 +460,10 @@ name: Terraform Plan
 
 on: [issue_comment]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'terraform plan') }}