[ci] Explicitly declare permissions and limit credentials (#15324)

Authored by: bashonly
2026-01-02 22:00:48 +00:00 · 2025-12-19 13:22:23 -06:00
parent 825648a740
commit a6a8f6b6d6
13 changed files with 96 additions and 43 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -56,8 +56,7 @@ on:
        default: false
        type: boolean

-permissions:
-  contents: read
+permissions: {}

 jobs:
  prepare:
@@ -150,29 +149,31 @@ jobs:
        run: git push origin "${GITHUB_EVENT_REF}"

  build:
-    needs: prepare
+    needs: [prepare]
+    permissions:
+      contents: read
    uses: ./.github/workflows/build.yml
    with:
      version: ${{ needs.prepare.outputs.version }}
      channel: ${{ needs.prepare.outputs.channel }}
      origin: ${{ needs.prepare.outputs.target_repo }}
      linux_armv7l: ${{ inputs.linux_armv7l }}
-    permissions:
-      contents: read
    secrets:
      GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}

  publish_pypi:
    needs: [prepare, build]
    if: ${{ needs.prepare.outputs.pypi_project }}
-    runs-on: ubuntu-latest
    permissions:
+      contents: read
      id-token: write  # mandatory for trusted publishing
+    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v6
        with:
-          fetch-depth: 0
+          fetch-depth: 0  # Needed for changelog
+          persist-credentials: false
      - uses: actions/setup-python@v6
        with:
          python-version: "3.10"
@@ -236,6 +237,7 @@ jobs:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
+          persist-credentials: false
      - uses: actions/download-artifact@v7
        with:
          path: artifact