Skip to content

Commit 725c3ac

Browse files
security(release): declare least-privilege permissions on the release workflow (#1396)
1 parent 1d25e22 commit 725c3ac

1 file changed

Lines changed: 15 additions & 2 deletions

File tree

.github/workflows/release.yml

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,19 @@ on:
66

77
name: Create Release
88

9+
# Least-privilege default for the whole workflow — jobs that need more
10+
# override at the job level. Matches the convention used by
11+
# cleanup-jp.yml / nonregression-jp.yml.
12+
permissions:
13+
contents: read
14+
915
jobs:
1016
build:
1117
name: Create Release
1218
runs-on: ubuntu-22.04
19+
# actions/create-release@v1 needs contents: write to publish a Release.
20+
permissions:
21+
contents: write
1322
outputs:
1423
release_url: ${{ steps.create_release.outputs.html_url }}
1524
steps:
@@ -35,6 +44,9 @@ jobs:
3544
zip-recipes:
3645
runs-on: ubuntu-22.04
3746
needs: build
47+
# actions/upload-release-asset needs contents: write to attach recipes.zip.
48+
permissions:
49+
contents: write
3850
steps:
3951
- name: Checkout code
4052
uses: actions/checkout@v2
@@ -113,8 +125,9 @@ jobs:
113125
name: Record release on main
114126
runs-on: ubuntu-22.04
115127
needs: build
116-
permissions:
117-
contents: write
128+
# No override needed — the push uses secrets.RELEASE_TOKEN (a PAT), not
129+
# the default GITHUB_TOKEN, so this job only needs the workflow-level
130+
# `contents: read` (for actions/checkout).
118131
steps:
119132
- name: Checkout main
120133
uses: actions/checkout@v4

0 commit comments

Comments
 (0)