From 1efad3f6e23442f296aa9910762512a42e450b87 Mon Sep 17 00:00:00 2001
From: Rich Harris <rich.harris@vercel.com>
Date: Wed, 5 Mar 2025 12:26:18 -0500
Subject: [PATCH] chore: add monitoring to github actions (#15436)

* chore: add monitoring to github actions

* try this
---
 .github/workflows/ci.yml                   | 3 +++
 .github/workflows/ecosystem-ci-trigger.yml | 1 +
 .github/workflows/pkg.pr.new-comment.yml   | 1 +
 .github/workflows/pkg.pr.new.yml           | 2 ++
 .github/workflows/release.yml              | 1 +
 5 files changed, 8 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b2bcb08848..cf73a1f6cb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,7 @@ env:
 
 jobs:
   Tests:
+    permissions: {}
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15
     strategy:
@@ -41,6 +42,7 @@ jobs:
         env:
           CI: true
   Lint:
+    permissions: {}
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
@@ -61,6 +63,7 @@ jobs:
         if: (${{ success() }} || ${{ failure() }}) # ensures this step runs even if previous steps fail
         run: pnpm build && { [ "`git status --porcelain=v1`" == "" ] || (echo "Generated types have changed — please regenerate types locally with `cd packages/svelte && pnpm generate:types` and commit the changes after you have reviewed them"; git diff; exit 1); }
   Benchmarks:
+    permissions: {}
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
diff --git a/.github/workflows/ecosystem-ci-trigger.yml b/.github/workflows/ecosystem-ci-trigger.yml
index ce7bf04136..71df3242e8 100644
--- a/.github/workflows/ecosystem-ci-trigger.yml
+++ b/.github/workflows/ecosystem-ci-trigger.yml
@@ -9,6 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'sveltejs/svelte' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/github-script@v6
         with:
           script: |
diff --git a/.github/workflows/pkg.pr.new-comment.yml b/.github/workflows/pkg.pr.new-comment.yml
index 1698a456d3..b1fba0b04b 100644
--- a/.github/workflows/pkg.pr.new-comment.yml
+++ b/.github/workflows/pkg.pr.new-comment.yml
@@ -11,6 +11,7 @@ jobs:
     name: 'Update comment'
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Download artifact
         uses: actions/download-artifact@v4
         with:
diff --git a/.github/workflows/pkg.pr.new.yml b/.github/workflows/pkg.pr.new.yml
index 99f8153517..90d219faae 100644
--- a/.github/workflows/pkg.pr.new.yml
+++ b/.github/workflows/pkg.pr.new.yml
@@ -3,6 +3,8 @@ on: [push, pull_request]
 
 jobs:
   build:
+    permissions: {}
+
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1daef0b89c..6debe5662a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,6 +17,7 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Checkout Repo
         uses: actions/checkout@v4
         with: