cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon temporalio

VLN-474: Set explicit permissions for GitHub Actions workflows

Open picatz opened this issue 3 months ago • 1 comments

Summary

  • .github/workflows/ci.yaml: Set workflow-level permissions so the GITHUB_TOKEN only reads repository contents and retains actions write access needed for artifact uploads.
  • .github/workflows/goreleaser.yml: Declared workflow permissions granting contents write so GoReleaser can publish release assets with no broader access.
  • .github/workflows/trigger-docs.yml: Limited the workflow token to read-only repository access, sufficient for metadata lookups performed in the job.
  • .github/workflows/trigger-publish.yml: Added read-only repository permissions to the workflow token while external calls use the generated app token.

picatz avatar Oct 29 '25 17:10 picatz