ci: update ci permission and limit their environment

Keith-CY · Keith-CY · commit 4d3aa8b5135e · 2024-03-16T02:29:14.000+09:00
1. check checksum
2. merge master to dev
diff --git a/.github/workflows/check_checksums.yml b/.github/workflows/check_checksums.yml
@@ -8,16 +8,16 @@ jobs:
   compare:
     name: Compare checksums
     runs-on: macos-latest
+    environment: Release
     permissions:
-      contents: read
-      actions: read
+      contents: write # to append checksum for each commit
+      actions: read # to read artifacts
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Generate checksums from artifacts
-        run:
-          ruby ./scripts/release-checksums.rb ${{ github.event.release.tag_name }} | tee generated_checksums.txt
+        run: ruby ./scripts/release-checksums.rb ${{ github.event.release.tag_name }} | tee generated_checksums.txt
 
       - name: Fetch checksums from release note
         run: |
@@ -39,4 +39,3 @@ jobs:
       - uses: peter-evans/commit-comment@v3
         with:
           body: ${{ steps.comment_body.outputs.body }}
-
diff --git a/.github/workflows/merge_released_into_develop.yml b/.github/workflows/merge_released_into_develop.yml
@@ -9,6 +9,9 @@ jobs:
   merge-to-dev:
     name: Merge into develop
     runs-on: ubuntu-latest
+    environment: Release
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/checkout@master
       - name: Request
