chore(build): reduce GitHub Actions secret usage#4856
Merged
arturcic merged 3 commits intoGitTools:mainfrom Mar 12, 2026
Merged
chore(build): reduce GitHub Actions secret usage#4856arturcic merged 3 commits intoGitTools:mainfrom
arturcic merged 3 commits intoGitTools:mainfrom
Conversation
arturcic
force-pushed
the
chore/github-actions-secret-cleanup
branch
from
f774c8b to
ed581ab
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces reliance on high-privilege GitHub Actions secrets by switching routine same-repo write operations to the built-in GITHUB_TOKEN, moving a diagnostics toggle from secrets to vars, and adding explicit workflow/job permissions where write access is required.
Changes:
- Replace
PUSH_GITHUB_TOKEN/DOCKER_GITHUB_TOKENusage with the built-inGITHUB_TOKEN/github.tokenfor same-repo operations. - Move
ENABLED_DIAGNOSTICSfromsecretstovarsin CI. - Add/adjust explicit
permissionsblocks for jobs that need write access (contents/packages/attestations).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/public-api.yml | Removes custom checkout token and enables contents: write so the workflow can push with the built-in token. |
| .github/workflows/mkdocs.yml | Removes custom checkout token and adds workflow-level contents: write for pushing snippet updates. |
| .github/workflows/docs.yml | Uses github.token instead of RELEASE_GITHUB_TOKEN for docs publishing and scopes contents: write to the publish job. |
| .github/workflows/ci.yml | Moves diagnostics flag to vars and uses github.token for release steps while keeping PAT only for dispatch. |
| .github/workflows/_docker_manifests.yml | Switches GHCR password input from a PAT secret to the built-in token. |
| .github/workflows/_docker.yml | Switches GHCR password input from a PAT secret to the built-in token. |
|
Contributor
|
Thank you @arturcic for your contribution! |
arturcic
added a commit
that referenced
this pull request
Mar 12, 2026
…eanup chore(build): reduce GitHub Actions secret usage
arturcic
added a commit
to arturcic/GitVersion
that referenced
this pull request
Mar 12, 2026
…ecret-cleanup chore(build): reduce GitHub Actions secret usage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR reduces GitHub Actions secret usage by preferring built-in credentials where possible and keeping elevated tokens only where required.
What Changed
Files Updated
Validation
Notes
Closes #4855