From b1c0c9d40edcf1877698afb865f46c7f498ce7d7 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Thu, 27 Apr 2023 20:49:29 +0000
Subject: [PATCH] GitHub Actions: limit permissions of GITHUB_TOKEN
---
.github/workflows/release.yml | 29 ++++++++++-------------------
1 files changed, 10 insertions(+), 19 deletions(-)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 71e01a5..6bd93ac 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,8 @@
name: Release
+permissions: {}
+
jobs:
build:
name: Build
@@ -57,7 +59,7 @@
steps:
- id: checkout
name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- id: download_artifact
name: Download artifact
@@ -108,6 +110,8 @@
name: Release
runs-on: ubuntu-latest
needs: [build, test]
+ permissions:
+ contents: write
steps:
- id: download_artifact
name: Download artifact
@@ -117,22 +121,9 @@
- id: create_release
name: Create release
- uses: actions/create-release@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ uses: softprops/action-gh-release@v1
with:
- tag_name: ${{ github.ref }}
- release_name: ${{ needs.build.outputs.project_name }} ${{ needs.build.outputs.project_version }}
- draft: false
- prerelease: false
-
- - id: upload_release
- name: Upload release artifact
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ steps.create_release.outputs.upload_url }}
- asset_path: ${{ needs.build.outputs.artifact_id }}-${{ needs.build.outputs.project_version }}.jar
- asset_name: ${{ needs.build.outputs.artifact_id }}-${{ needs.build.outputs.project_version }}.jar
- asset_content_type: application/java-archive
+ name: ${{ needs.build.outputs.project_name }} ${{ needs.build.outputs.project_version }}
+ files: ${{ needs.build.outputs.artifact_id }}-${{ needs.build.outputs.project_version }}.jar
+ fail_on_unmatched_files: true
+ generate_release_notes: true
--
Gitblit v1.9.1