From 67c17b2ac9885224166fdcab1e6fbfb7bb02f297 Mon Sep 17 00:00:00 2001
From: Ivan Dyachkov <dev@dyachkov.org>
Date: Mon, 6 May 2024 19:00:39 +0200
Subject: [PATCH] ci: give coveralls permission to post comments to PRs

---
 .github/workflows/_pr_entrypoint.yaml |  9 ++++++---
 .github/workflows/run_test_cases.yaml | 29 ++++++++++++++++++---------
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/_pr_entrypoint.yaml b/.github/workflows/_pr_entrypoint.yaml
index 4c8349f3f..b56c958a6 100644
--- a/.github/workflows/_pr_entrypoint.yaml
+++ b/.github/workflows/_pr_entrypoint.yaml
@@ -14,9 +14,6 @@ on:
 env:
   IS_CI: "yes"
 
-permissions:
-  contents: read
-
 jobs:
   sanity-checks:
     runs-on: ubuntu-22.04
@@ -32,6 +29,9 @@ jobs:
       otp_vsn: "26.2.1-2"
       elixir_vsn: "1.15.7"
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
@@ -127,6 +127,9 @@ jobs:
           - emqx
           - emqx-enterprise
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
diff --git a/.github/workflows/run_test_cases.yaml b/.github/workflows/run_test_cases.yaml
index 064642c80..e2d9d8484 100644
--- a/.github/workflows/run_test_cases.yaml
+++ b/.github/workflows/run_test_cases.yaml
@@ -20,9 +20,6 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
-
 env:
   IS_CI: "yes"
 
@@ -40,6 +37,9 @@ jobs:
         shell: bash
     container: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-ubuntu22.04"
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
@@ -82,6 +82,9 @@ jobs:
       run:
         shell: bash
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
@@ -137,6 +140,9 @@ jobs:
       run:
         shell: bash
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
@@ -195,6 +201,10 @@ jobs:
       matrix:
         profile:
           - emqx-enterprise
+
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
@@ -232,11 +242,10 @@ jobs:
     if: github.repository == 'emqx/emqx'
     needs: make_cover
     runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
     steps:
-      - name: Coveralls Finished
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          curl -v -k https://coveralls.io/webhook \
-               --header "Content-Type: application/json" \
-               --data "{\"repo_name\":\"$GITHUB_REPOSITORY\",\"repo_token\":\"$GITHUB_TOKEN\",\"payload\":{\"build_num\":$GITHUB_RUN_ID,\"status\":\"done\"}}" || true
+      - name: Coveralls finished
+        uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # v2.2.3
+        with:
+          parallel-finished: true