give release action necessary permissions (#13)

Signed-off-by: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com>

Author: DrDaveD

.github/workflows/ci.yml

@@ -1,5 +1,6 @@
-name: CI
-on: [push, pull_request]
+name: ci
+on:
+  pull_request:
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -52,122 +53,3 @@ jobs:
           ${{ runner.os }}-go-
     - name: Test
       run: make test
-  release:
-    needs:
-    - lint
-    - build
-    - test
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/v')
-    steps:
-    - uses: actions/checkout@v3
-    - name: Get tag version
-      id: get-tag-version
-      uses: actions/github-script@v6
-      with:
-        result-encoding: string
-        script: |
-          return context.ref.replace(/^refs\/tags\/v/, '');
-    - uses: mindsers/changelog-reader-action@v2
-      id: read-changelog
-      with:
-        version: ${{ steps.get-tag-version.outputs.result }}
-    - uses: actions/create-release@v1
-      id: create-release
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        tag_name: ${{ github.ref }}
-        release_name: v${{ steps.read-changelog.outputs.version }}
-        body: ${{ steps.read-changelog.outputs.changes }}
-        prerelease: ${{ steps.read-changelog.outputs.status == 'prereleased' }}
-        draft: ${{ steps.read-changelog.outputs.status == 'unreleased' }}
-    outputs:
-      upload-url: ${{ steps.create-release.outputs.upload_url }}
-  release-assets:
-    needs: release
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        include:
-        - os: darwin
-          arch: amd64
-        - os: windows
-          arch: amd64
-        - os: windows
-          arch: '386'
-        - os: linux
-          arch: amd64
-        - os: linux
-          arch: '386'
-        - os: linux
-          arch: arm64
-        - os: linux
-          arch: arm
-        - os: freebsd
-          arch: amd64
-        - os: freebsd
-          arch: '386'
-        - os: freebsd
-          arch: arm
-        - os: netbsd
-          arch: amd64
-        - os: netbsd
-          arch: '386'
-        - os: openbsd
-          arch: amd64
-        - os: openbsd
-          arch: '386'
-        - os: solaris
-          arch: amd64
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-    - uses: actions/cache@v3
-      with:
-        path: |
-          ~/go/pkg/mod
-          ~/go/pkg/sumdb
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
-    - name: Build
-      env:
-        PLUGIN_DIST_OS: ${{ matrix.os }}
-        PLUGIN_DIST_ARCH: ${{ matrix.arch }}
-      run: |
-        make "dist-bin-${PLUGIN_DIST_OS}-${PLUGIN_DIST_ARCH}"
-    - name: Get asset information
-      id: get-asset-information
-      run: |
-        archive_name="$( find ./artifacts/ -type f -not -name '*.sha256.asc' -printf '%f\n' )"
-        archive_media_type="$( file -b --mime-type "./artifacts/${archive_name}" )"
-
-        checksum_name="${archive_name}.sha256.asc"
-        checksum_media_type="$( file -b --mime-type "./artifacts/${checksum_name}" )"
-
-        echo "archive-name=${archive_name}" >>"$GITHUB_OUTPUT"
-        echo "archive-media-type=${archive_media_type}" >>"$GITHUB_OUTPUT"
-
-        echo "checksum-name=${checksum_name}" >>"$GITHUB_OUTPUT"
-        echo "checksum-media-type=${checksum_media_type}" >>"$GITHUB_OUTPUT"
-    - name: Upload checksum asset
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ needs.release.outputs.upload-url }}
-        asset_path: ./artifacts/${{ steps.get-asset-information.outputs.checksum-name }}
-        asset_name: ${{ steps.get-asset-information.outputs.checksum-name }}
-        asset_content_type: ${{ steps.get-asset-information.outputs.checksum-media-type }}
-    - name: Upload archive asset
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ needs.release.outputs.upload-url }}
-        asset_path: ./artifacts/${{ steps.get-asset-information.outputs.archive-name }}
-        asset_name: ${{ steps.get-asset-information.outputs.archive-name }}
-        asset_content_type: ${{ steps.get-asset-information.outputs.archive-media-type }}

.github/workflows/release.yml

@@ -0,0 +1,123 @@
+name: release
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+permissions:
+  contents: write
+jobs:
+  create-release:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+    - uses: actions/checkout@v3
+    - name: Get tag version
+      id: get-tag-version
+      uses: actions/github-script@v6
+      with:
+        result-encoding: string
+        script: |
+          return context.ref.replace(/^refs\/tags\/v/, '');
+    - uses: mindsers/changelog-reader-action@v2
+      id: read-changelog
+      with:
+        version: ${{ steps.get-tag-version.outputs.result }}
+    - uses: actions/create-release@v1
+      id: create-release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        tag_name: ${{ github.ref }}
+        release_name: v${{ steps.read-changelog.outputs.version }}
+        body: ${{ steps.read-changelog.outputs.changes }}
+        prerelease: ${{ steps.read-changelog.outputs.status == 'prereleased' }}
+        draft: ${{ steps.read-changelog.outputs.status == 'unreleased' }}
+    outputs:
+      upload-url: ${{ steps.create-release.outputs.upload_url }}
+  release-assets:
+    needs: create-release
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+        - os: darwin
+          arch: amd64
+        - os: windows
+          arch: amd64
+        - os: windows
+          arch: '386'
+        - os: linux
+          arch: amd64
+        - os: linux
+          arch: '386'
+        - os: linux
+          arch: arm64
+        - os: linux
+          arch: arm
+        - os: freebsd
+          arch: amd64
+        - os: freebsd
+          arch: '386'
+        - os: freebsd
+          arch: arm
+        - os: netbsd
+          arch: amd64
+        - os: netbsd
+          arch: '386'
+        - os: openbsd
+          arch: amd64
+        - os: openbsd
+          arch: '386'
+        - os: solaris
+          arch: amd64
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+    - uses: actions/cache@v3
+      with:
+        path: |
+          ~/go/pkg/mod
+          ~/go/pkg/sumdb
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+    - name: Build
+      env:
+        PLUGIN_DIST_OS: ${{ matrix.os }}
+        PLUGIN_DIST_ARCH: ${{ matrix.arch }}
+      run: |
+        make "dist-bin-${PLUGIN_DIST_OS}-${PLUGIN_DIST_ARCH}"
+    - name: Get asset information
+      id: get-asset-information
+      run: |
+        archive_name="$( find ./artifacts/ -type f -not -name '*.sha256.asc' -printf '%f\n' )"
+        archive_media_type="$( file -b --mime-type "./artifacts/${archive_name}" )"
+
+        checksum_name="${archive_name}.sha256.asc"
+        checksum_media_type="$( file -b --mime-type "./artifacts/${checksum_name}" )"
+
+        echo "archive-name=${archive_name}" >>"$GITHUB_OUTPUT"
+        echo "archive-media-type=${archive_media_type}" >>"$GITHUB_OUTPUT"
+
+        echo "checksum-name=${checksum_name}" >>"$GITHUB_OUTPUT"
+        echo "checksum-media-type=${checksum_media_type}" >>"$GITHUB_OUTPUT"
+    - name: Upload checksum asset
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ needs.create-release.outputs.upload-url }}
+        asset_path: ./artifacts/${{ steps.get-asset-information.outputs.checksum-name }}
+        asset_name: ${{ steps.get-asset-information.outputs.checksum-name }}
+        asset_content_type: ${{ steps.get-asset-information.outputs.checksum-media-type }}
+    - name: Upload archive asset
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ needs.create-release.outputs.upload-url }}
+        asset_path: ./artifacts/${{ steps.get-asset-information.outputs.archive-name }}
+        asset_name: ${{ steps.get-asset-information.outputs.archive-name }}
+        asset_content_type: ${{ steps.get-asset-information.outputs.archive-media-type }}