build: update permissions and use sparse checkout

Planeshifter · Planeshifter · commit 3b83db05ee68 · 2025-03-17T18:08:03.000-04:00
---
type: pre_commit_static_analysis_report
description: Results of running static analysis checks when committing changes.
report:
  - task: lint_filenames
    status: passed
  - task: lint_editorconfig
    status: passed
  - task: lint_markdown
    status: na
  - task: lint_package_json
    status: na
  - task: lint_repl_help
    status: na
  - task: lint_javascript_src
    status: na
  - task: lint_javascript_cli
    status: na
  - task: lint_javascript_examples
    status: na
  - task: lint_javascript_tests
    status: na
  - task: lint_javascript_benchmarks
    status: na
  - task: lint_python
    status: na
  - task: lint_r
    status: na
  - task: lint_c_src
    status: na
  - task: lint_c_examples
    status: na
  - task: lint_c_benchmarks
    status: na
  - task: lint_c_tests_fixtures
    status: na
  - task: lint_shell
    status: na
  - task: lint_typescript_declarations
    status: na
  - task: lint_typescript_tests
    status: na
  - task: lint_license_headers
    status: passed
---
diff --git a/.github/workflows/check_commit_metadata.yml b/.github/workflows/check_commit_metadata.yml
@@ -53,14 +53,10 @@ jobs:
         # Pin action to full length commit SHA
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          # Specify whether to remove untracked files before checking out the repository:
-          clean: true
-
-          # Limit clone depth to the most recent commit:
-          fetch-depth: 1
-
-          # Specify whether to download Git-LFS files:
-          lfs: false
+          # Ensure we have access to the scripts directory:
+          sparse-checkout: |
+              .github/workflows/scripts
+          sparse-checkout-cone-mode: false
         timeout-minutes: 10
 
       # Extract commit metadata from commit messages as JSON:
diff --git a/.github/workflows/check_contributing_guidelines_acceptance.yml b/.github/workflows/check_contributing_guidelines_acceptance.yml
@@ -50,9 +50,6 @@ permissions:
   # Allow read-only access to the repository contents:
   contents: read
 
-  # Allow write access to pull requests:
-  pull-requests: write
-
 # Workflow jobs:
 jobs:
 
@@ -75,14 +72,10 @@ jobs:
         # Pin action to full length commit SHA
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          # Specify whether to remove untracked files before checking out the repository:
-          clean: true
-
-          # Limit clone depth to the most recent commit:
-          fetch-depth: 1
-
-          # Specify whether to download Git-LFS files:
-          lfs: false
+          # Ensure we have access to the scripts directory:
+          sparse-checkout: |
+              .github/workflows/scripts
+          sparse-checkout-cone-mode: false
         timeout-minutes: 10
 
       # Check contributing guidelines acceptance:
diff --git a/.github/workflows/create_address_commit_comment_issues.yml b/.github/workflows/create_address_commit_comment_issues.yml
@@ -55,14 +55,10 @@ jobs:
         # Pin action to full length commit SHA
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          # Specify whether to remove untracked files before checking out the repository:
-          clean: false
-
-          # Limit clone depth to the most recent commit:
-          fetch-depth: 1
-
-          # Specify whether to download Git-LFS files:
-          lfs: false
+          # Ensure we have access to the scripts directory:
+          sparse-checkout: |
+              .github/workflows/scripts
+          sparse-checkout-cone-mode: false
         timeout-minutes: 10
 
       # Create issues from commit comments:
diff --git a/.github/workflows/good_first_issue.yml b/.github/workflows/good_first_issue.yml
@@ -40,7 +40,6 @@ jobs:
     # Define job permissions:
     permissions:
       contents: read
-      pull-requests: write
 
     # Define the type of virtual host machine:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/label_good_first_prs.yml b/.github/workflows/label_good_first_prs.yml
@@ -43,8 +43,8 @@ jobs:
 
     # Define job permissions:
     permissions:
+      # Allow read-only access to the repository contents:
       contents: read
-      pull-requests: write
 
     # Define the type of virtual host machine:
     runs-on: ubuntu-latest
@@ -56,14 +56,10 @@ jobs:
         # Pin action to full length commit SHA
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          # Specify whether to remove untracked files before checking out the repository:
-          clean: true
-
-          # Limit clone depth to the most recent commit:
-          fetch-depth: 1
-
-          # Specify whether to download Git-LFS files:
-          lfs: false
+          # Ensure we have access to the scripts directory:
+          sparse-checkout: |
+              .github/workflows/scripts
+          sparse-checkout-cone-mode: false
         timeout-minutes: 10
 
       # Check whether any of the referenced issues is a "Good First Issue":
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -49,7 +49,6 @@ jobs:
     # Define job permissions:
     permissions:
       contents: read
-      pull-requests: write
 
     # Define the type of virtual host machine:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint_pr_title.yml b/.github/workflows/lint_pr_title.yml
@@ -62,8 +62,8 @@ jobs:
           # Specify whether to remove untracked files before checking out the repository:
           clean: false
 
-          # Limit clone depth to the most recent 100 commits:
-          fetch-depth: 100
+          # Limit clone depth to the most recent commit:
+          fetch-depth: 1
 
           # Specify whether to download Git-LFS files:
           lfs: false
diff --git a/.github/workflows/too_many_good_first_prs.yml b/.github/workflows/too_many_good_first_prs.yml
@@ -43,7 +43,6 @@ jobs:
     # Define job permissions:
     permissions:
       contents: read
-      pull-requests: write
 
     # Define the type of virtual host machine:
     runs-on: ubuntu-latest
@@ -55,14 +54,10 @@ jobs:
         # Pin action to full length commit SHA
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          # Specify whether to remove untracked files before checking out the repository:
-          clean: true
-
-          # Limit clone depth to the most recent commit:
-          fetch-depth: 1
-
-          # Specify whether to download Git-LFS files:
-          lfs: false
+          # Ensure we have access to the scripts directory:
+          sparse-checkout: |
+            .github/workflows/scripts
+          sparse-checkout-cone-mode: false
         timeout-minutes: 10
 
       # Prevent contributors from opening too many "Good First PR"s:
