From d62900588e94224f1cdbf0f0936cf7fc49c68432 Mon Sep 17 00:00:00 2001
From: Cedric <ceddy4395@users.noreply.github.com>
Date: Thu, 2 May 2024 17:39:10 +0200
Subject: [PATCH] chore(ci): Fix potential github action smells (#29416)

* chore(ci): fix gha smells

- Avoid running CI related actions when no source code has changed
- Use permissions whenever using Github Token
- Avoid executing  scheduled workflows on forks

* Fix typo in 'if' statement for gha workflow

Co-authored-by: Jennifer Shehane <shehane.jennifer@gmail.com>

* Add contents write permissions to upload_release_asset

---------

Co-authored-by: Jennifer Shehane <shehane.jennifer@gmail.com>
Co-authored-by: Jennifer Shehane <jennifer@cypress.io>
---
 .github/workflows/update-browser-versions.yml  |  2 ++
 .github/workflows/update_v8_snapshot_cache.yml | 17 +++++++++++++++++
 .github/workflows/upload_release_asset.yml     |  2 ++
 3 files changed, 21 insertions(+)

diff --git a/.github/workflows/update-browser-versions.yml b/.github/workflows/update-browser-versions.yml
index d348bfc7ff3e..330464273fbb 100644
--- a/.github/workflows/update-browser-versions.yml
+++ b/.github/workflows/update-browser-versions.yml
@@ -10,6 +10,8 @@ jobs:
     env:
       CYPRESS_BOT_APP_ID: ${{ secrets.CYPRESS_BOT_APP_ID }}
       BASE_BRANCH: develop
+    # Prevent from running this workflow on forks
+    if: github.repository == 'cypress-io/cypress'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/update_v8_snapshot_cache.yml b/.github/workflows/update_v8_snapshot_cache.yml
index fc0caf3e3c24..fc36072a2606 100644
--- a/.github/workflows/update_v8_snapshot_cache.yml
+++ b/.github/workflows/update_v8_snapshot_cache.yml
@@ -8,6 +8,23 @@ on:
   push:
     branches:
       - 'release/**'
+    paths-ignore:
+      - .husky/**
+      - .vscode/**
+      - .eslintrc.js
+      - .gitattributes
+      - .gitignore
+      - .percy.yml
+      - .prettierignore
+      - .releaserc.js
+      - .yarnclean
+      - CHANGELOG.md
+      - CODE_OF_CONDUCT.md
+      - CONTRIBUTING.md
+      - LICENSE
+      - README.md
+      - ROADMAP.md
+      - SECURITY.md
   workflow_dispatch:
     inputs:
       branch:
diff --git a/.github/workflows/upload_release_asset.yml b/.github/workflows/upload_release_asset.yml
index d42e04a3901c..b089f42a4808 100644
--- a/.github/workflows/upload_release_asset.yml
+++ b/.github/workflows/upload_release_asset.yml
@@ -13,6 +13,8 @@ jobs:
           FOSSA_API_KEY: ${{secrets.FOSSAAPIKEY}}
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      contents: write
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4