Commit b43fcb2
committed
ci: harden the release-PR workflow auth
Checkout now runs read-only with persist-credentials: false so the token
isn't left in the git config for the whole job, and the write-capable app
token is only used at the push step (via the push URL, not persisted). The
job also drops its blanket contents/pull-requests write permissions, since
the default token only needs read and the app token does the writing.
Addresses the review on this PR and clears zizmor's artipacked finding for
this workflow.
Note: AI-assisted (Claude Code), verified with zizmor that the artipacked
finding on this file is gone after the change.1 parent 374e7c6 commit b43fcb2
1 file changed
Lines changed: 14 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
12 | | - | |
13 | | - | |
14 | | - | |
15 | 12 | | |
16 | 13 | | |
17 | 14 | | |
18 | 15 | | |
19 | | - | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
| |||
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
46 | | - | |
| 46 | + | |
47 | 47 | | |
48 | | - | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
49 | 51 | | |
50 | 52 | | |
51 | 53 | | |
| |||
56 | 58 | | |
57 | 59 | | |
58 | 60 | | |
59 | | - | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
60 | 66 | | |
61 | 67 | | |
| 68 | + | |
62 | 69 | | |
63 | 70 | | |
0 commit comments