From 575e39821715f213a39f757d4b6e959e99a20e95 Mon Sep 17 00:00:00 2001
From: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Date: Fri, 8 Dec 2023 19:18:02 +0000
Subject: [PATCH 1/4]  Set minimal token permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---
 .github/workflows/main.yml       | 3 +++
 .github/workflows/pr-comment.yml | 6 ++++++
 .github/workflows/stale.yaml     | 6 ++++++
 3 files changed, 15 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index f3dfb25fc5..cf6d8c8397 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
       - 3.*
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
index 881e1d6bc0..33010e5df0 100644
--- a/.github/workflows/pr-comment.yml
+++ b/.github/workflows/pr-comment.yml
@@ -3,10 +3,16 @@ name: Agrega comentario a PR
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   pr-comment:
     name: Entradas sin traducción
     runs-on: ubuntu-22.04
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 6004689909..7924b86358 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -3,9 +3,15 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v8
         with:

From 997401acc4487638c39383b47328683eac24ebfb Mon Sep 17 00:00:00 2001
From: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Date: Fri, 8 Dec 2023 19:18:45 +0000
Subject: [PATCH 2/4]  pr-comment: isolate step that needs additional
 permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---
 .github/workflows/pr-comment.yml | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
index 33010e5df0..4b28bb12f5 100644
--- a/.github/workflows/pr-comment.yml
+++ b/.github/workflows/pr-comment.yml
@@ -7,12 +7,12 @@ permissions:
   contents: read
 
 jobs:
-  pr-comment:
+  define-comment:
     name: Entradas sin traducción
     runs-on: ubuntu-22.04
-    permissions:
-      issues: write
-      pull-requests: write
+    outputs:
+      any_changed: ${{ steps.changed-files.outputs.any_changed }}
+      comment: ${{ steps.create-pr-comment.outputs.comment }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -43,9 +43,17 @@ jobs:
             python scripts/list_missing_entries.py --github $CHANGED_PO_FILES
             echo EOF
           } >> "$GITHUB_OUTPUT"
+
+  write-comment:
+    runs-on: ubuntu-22.04
+    needs: [define-comment]
+    if: needs.define-comment.outputs.any_changed == 'true'
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
       - name: Agregar comentario con entradas faltantes
-        if: steps.changed-files.outputs.any_changed == 'true'
         uses: thollander/actions-comment-pull-request@v2
         with:
-          message: ${{ steps.create-pr-comment.outputs.comment }}
+          message: ${{ needs.define-comment.outputs.comment }}
           comment_tag: missing-entries

From 71fddb69c9d46746a111d538b706dd6fd6b6985a Mon Sep 17 00:00:00 2001
From: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Date: Fri, 8 Dec 2023 20:28:34 +0000
Subject: [PATCH 3/4] pr-comment: Safe checkout of script files

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---
 .github/workflows/pr-comment.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
index 4b28bb12f5..3a147d5037 100644
--- a/.github/workflows/pr-comment.yml
+++ b/.github/workflows/pr-comment.yml
@@ -23,9 +23,18 @@ jobs:
         with:
           python-version: "3.11"
           cache: "pip"
+      # checkout these files from the base branch to guarantee they haven't been
+      # modified by the PR
+      - uses: actions/checkout@v4
+        with:
+          path: base-branch
+          sparse-checkout-cone-mode: false
+          sparse-checkout: |
+            requirements.txt
+            scripts/list_missing_entries.py
       - name: Instalar dependencias
         run: |
-          python -m pip install -r requirements.txt
+          python -m pip install -r base-branch/requirements.txt
       - name: Obtiene lista de archivos con cambios
         id: changed-files
         uses: tj-actions/changed-files@v40
@@ -40,7 +49,7 @@ jobs:
         run: |
           {
             echo 'comment<<EOF'
-            python scripts/list_missing_entries.py --github $CHANGED_PO_FILES
+            python base-branch/scripts/list_missing_entries.py --github $CHANGED_PO_FILES
             echo EOF
           } >> "$GITHUB_OUTPUT"
 

From c3813ab76caf2db44bee45f55850a08de02b4fc1 Mon Sep 17 00:00:00 2001
From: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Date: Mon, 11 Dec 2023 15:39:17 +0000
Subject: [PATCH 4/4]  TEST: Undo change to main.yml to investigate CI/CD
 failure

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---
 .github/workflows/main.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index cf6d8c8397..f3dfb25fc5 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,9 +6,6 @@ on:
       - 3.*
   pull_request:
 
-permissions:
-  contents: read
-
 jobs:
   test:
     name: Test