Skip to content

Commit

Permalink
Fix deploy permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@Dreamsorcerer
Dreamsorcerer committed Mar 4, 2024
1 parent 2994ccc commit a99cfcf
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/ci-cd.yml
View file
Expand Up @@ -116,6 +116,9 @@ jobs:
runs-on: ubuntu-latest
needs: [check]
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for trusted publishing & sigstore

This comment has been minimized.

Sign in to view

Copy link
@webknjaz

webknjaz Mar 4, 2024

Member

@Dreamsorcerer FWIW these privileges shouldn't be added to the job building the dists, only to the publishing one. This is to prevent potential privilege escalation in other OIDC integrations through poisoning the build deps..
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down

0 comments on commit a99cfcf

Please sign in to comment.