gh-action-sigstore-python icon indicating copy to clipboard operation
gh-action-sigstore-python copied to clipboard
verified publisher icon sigstore

readme: Should the default example have "contents:write" ?

Open jku opened this issue 1 year ago • 3 comments

Now that the default is to upload release artifacts, I wonder if we should add contents: write to the main usage example in README (or at least mention this when releases are discussed)?

  • The selftest does not need this permission I believe because the upload only triggers on release events
  • Could add the release trigger to the example as well since it's IMO the most magic in this action (I had never used GitHub release events for doing e.g. pypi releases so it was surprising to see it's required by this action)
  • if we're changing the example, could change the job name as well: "selftest" sounds a little weird in an example

jku avatar Jul 09 '24 06:07 jku

Yeah, makes sense to me!

woodruffw avatar Jul 09 '24 14:07 woodruffw

I'd also request that every permission listed has a code comment clearly stating what it's for.

webknjaz avatar Jul 16 '24 12:07 webknjaz

No objection. I'll try and find some time to do this in the coming days, unless someone else wants to do it first 😉

woodruffw avatar Jul 16 '24 14:07 woodruffw