From e8f307aa1c7cc97c1bfae620570baf9c49c1d0e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastian=20Echterh=C3=B6lter?= Date: Tue, 7 Apr 2026 11:37:56 +0200 Subject: [PATCH] fix: add permissions block and forward release_branch input MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add explicit empty permissions block to release-openmfp.yml to restrict default GITHUB_TOKEN scope per least privilege principle. Add release_branch input to job-release-node.yml and forward it to job-node-test.yml so artifact uploads work for non-main branches. Signed-off-by: Bastian Echterhölter On-behalf-of: @SAP --- .github/workflows/job-release-node.yml | 6 ++++++ .github/workflows/release-openmfp.yml | 2 ++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/job-release-node.yml b/.github/workflows/job-release-node.yml index 769fe02..e2b45f9 100644 --- a/.github/workflows/job-release-node.yml +++ b/.github/workflows/job-release-node.yml @@ -21,6 +21,11 @@ on: required: false type: string default: './' + release_branch: + description: 'Name of the release branch' + required: false + type: string + default: 'main' publishFromDist: required: false type: boolean @@ -55,6 +60,7 @@ jobs: secrets: inherit with: workingDirectory: ${{ inputs.workingDirectory }} + release_branch: ${{ inputs.release_branch }} artifactPath: ${{ inputs.artifactPath }} hasBuild: ${{ inputs.hasBuild }} node_version: ${{ inputs.node_version }} diff --git a/.github/workflows/release-openmfp.yml b/.github/workflows/release-openmfp.yml index 1ee339e..bf29b7d 100644 --- a/.github/workflows/release-openmfp.yml +++ b/.github/workflows/release-openmfp.yml @@ -8,6 +8,8 @@ on: required: true type: string +permissions: {} + jobs: trigger-releases: runs-on: ubuntu-latest