File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11name : Release
22run-name : Release ${{ github.event.inputs.version || github.event.inputs.releaseType }}
33
4- # Explicit minimal permissions per security guidance
4+ # Explicit minimal permissions per security guidance (code scanning recommendation).
5+ # Provide ONLY the permission strictly required at the workflow scope. Jobs that need
6+ # additional scopes (e.g., creating PRs) declare their own permissions blocks.
57permissions :
68 contents : write # needed to create tags/releases and read repo contents
7- pull-requests : read # read PR metadata if version derived from PR context
8- actions : read # allow reading action metadata (optional informational)
9- checks : read # allow reading check runs (used indirectly by gh in some contexts)
109
1110on :
1211 workflow_dispatch :
5251 release :
5352 runs-on : ubuntu-latest
5453 # Harden job: restrict token further if steps don't need broader scopes
54+ # Job requires only contents:write for tagging & release artifact upload.
5555 permissions :
56- contents : write # create tag & release
57- pull-requests : read
58- actions : read
59- checks : read
56+ contents : write
6057 outputs :
6158 released_version : ${{ steps.version.outputs.next_version }}
6259 core_changed : ${{ steps.detect.outputs.core_changed }}
@@ -313,9 +310,8 @@ jobs:
313310 if : needs.release.result == 'success' && needs.release.outputs.core_changed == 'true' && inputs.skipModuleBump != true
314311 uses : ./.github/workflows/auto-bump-modules.yml
315312 permissions :
316- contents : write # required for pushing bump branch / PR
317- pull-requests : write
318- actions : read
313+ contents : write # push bump branch & tag refs
314+ pull-requests : write # open/update PR
319315 with :
320316 coreVersion : ${{ needs.release.outputs.released_version }}
321317 secrets :
You can’t perform that action at this time.
0 commit comments