Skip to content

Commit b6bbf0d

Browse files
sweatybridgesweatybridge
committed
chore: reduce default token permission scope
1 parent ae86efb commit b6bbf0d

2 files changed

Lines changed: 42 additions & 22 deletions

File tree

.github/workflows/release-beta.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ on:
77
workflow_dispatch:
88

99
permissions:
10-
contents: write
10+
contents: read
1111

1212
jobs:
1313
release:
@@ -79,7 +79,6 @@ jobs:
7979
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
8080
owner: ${{ github.repository_owner }}
8181
repositories: |
82-
cli
8382
homebrew-tap
8483
scoop-bucket
8584
- run: go run tools/publish/main.go --beta "${{ needs.release.outputs.new-release-version }}"

.github/workflows/release.yml

Lines changed: 41 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -7,37 +7,25 @@ on:
77
workflow_call:
88

99
permissions:
10-
contents: write
11-
packages: write
12-
# Required for npm OIDC
13-
id-token: write
10+
contents: read
1411

1512
jobs:
1613
settings:
1714
runs-on: ubuntu-latest
15+
permissions:
16+
contents: write
17+
packages: write
1818
env:
1919
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2020
outputs:
2121
release_tag: ${{ steps.prerelease.outputs.tagName }}
22-
app_token: ${{ steps.app-token.outputs.token }}
2322
steps:
2423
- uses: actions/checkout@v6
2524
- id: prerelease
2625
run: |
2726
gh release list --limit 1 --json tagName --jq \
2827
'.[]|to_entries|map("\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_OUTPUT
2928
- run: gh release edit ${{ steps.prerelease.outputs.tagName }} --latest --prerelease=false
30-
- id: app-token
31-
uses: actions/create-github-app-token@v2
32-
with:
33-
app-id: ${{ secrets.APP_ID }}
34-
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
35-
owner: ${{ github.repository_owner }}
36-
repositories: |
37-
cli
38-
homebrew-tap
39-
scoop-bucket
40-
supabase
4129

4230
commit:
4331
name: Publish Brew and Scoop
@@ -50,9 +38,18 @@ jobs:
5038
with:
5139
go-version-file: go.mod
5240
cache: true
41+
- id: app-token
42+
uses: actions/create-github-app-token@v2
43+
with:
44+
app-id: ${{ secrets.APP_ID }}
45+
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
46+
owner: ${{ github.repository_owner }}
47+
repositories: |
48+
homebrew-tap
49+
scoop-bucket
5350
- run: go run tools/publish/main.go ${{ needs.settings.outputs.release_tag }}
5451
env:
55-
GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
52+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
5653

5754
publish:
5855
name: Publish NPM
@@ -77,9 +74,17 @@ jobs:
7774
with:
7875
go-version-file: go.mod
7976
cache: true
77+
- id: app-token
78+
uses: actions/create-github-app-token@v2
79+
with:
80+
app-id: ${{ secrets.APP_ID }}
81+
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
82+
owner: ${{ github.repository_owner }}
83+
repositories: |
84+
supabase
8085
- run: go run tools/selfhost/main.go
8186
env:
82-
GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
87+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
8388

8489
changelog:
8590
name: Publish changelog
@@ -94,9 +99,17 @@ jobs:
9499
with:
95100
go-version-file: go.mod
96101
cache: true
102+
- id: app-token
103+
uses: actions/create-github-app-token@v2
104+
with:
105+
app-id: ${{ secrets.APP_ID }}
106+
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
107+
owner: ${{ github.repository_owner }}
108+
repositories: |
109+
supabase
97110
- run: go run tools/changelog/main.go ${{ secrets.SLACK_CHANNEL }}
98111
env:
99-
GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
112+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
100113
SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
101114

102115
docs:
@@ -110,6 +123,14 @@ jobs:
110123
with:
111124
go-version-file: go.mod
112125
cache: true
126+
- id: app-token
127+
uses: actions/create-github-app-token@v2
128+
with:
129+
app-id: ${{ secrets.APP_ID }}
130+
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
131+
owner: ${{ github.repository_owner }}
132+
repositories: |
133+
supabase
113134
- run: go run docs/main.go ${{ needs.settings.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml
114135
env:
115-
GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
136+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

0 commit comments

Comments
 (0)