From 54da9da0327c50eb6d6fe1abb64d2c4f39fc1599 Mon Sep 17 00:00:00 2001
From: Adon Metcalfe <adon.metcalfe@dpc.wa.gov.au>
Date: Tue, 16 Apr 2024 15:33:20 +0800
Subject: [PATCH] Update tlpclear-githubpages.yml

constrain job permissions
---
 .github/workflows/tlpclear-githubpages.yml | 51 ++++++++++++++--------
 1 file changed, 33 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/tlpclear-githubpages.yml b/.github/workflows/tlpclear-githubpages.yml
index 2228ac0d7..d3ccae627 100644
--- a/.github/workflows/tlpclear-githubpages.yml
+++ b/.github/workflows/tlpclear-githubpages.yml
@@ -9,56 +9,71 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: write
-  pages: write
-  id-token: write
-
 # Allow one concurrent deployment
 concurrency:
   group: "pages"
   cancel-in-progress: true
 
 jobs:
-  # Single deploy job since we're just deploying
+  format-markdown:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        with:
+          python-version: "3.11"
+          cache: "pip" # caching pip dependencies
+      - name: install mkdocs
+        run: pip install -r requirements.txt
+      - name: run mdformat
+        run: mdformat .
+      - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
+        with:
+          commit_message: Format markdown docs
   deploy:
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    needs: format-markdown
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
-          python-version: '3.11'
-          cache: 'pip' # caching pip dependencies
+          python-version: "3.11"
+          cache: "pip" # caching pip dependencies
       - name: install mkdocs
         run: pip install -r requirements.txt
-      - name: run mdformat
-        run: mdformat .
       - name: build site
-        run:  python -m mkdocs build --strict
+        run: python -m mkdocs build --strict
       - name: build rss feeds
-        run:  python generate_rss.py
-      - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
-        with:
-          commit_message: Format markdown docs
+        run: python generate_rss.py
       - name: Setup Pages
         uses: actions/configure-pages@c5a3e1159e0cbdf0845eb8811bd39e39fc3099c2 # v2.1.3
       - name: Upload artifact
         uses: actions/upload-pages-artifact@84bb4cd4b733d5c320c9c9cfbc354937524f4d64 # v1.0.10
         with:
           # Upload main folder
-          path: 'site'
+          path: "site"
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@f27bcc15848fdcdcc02f01754eb838e44bcf389b # v1.2.9