document examples, refresh README, prefer job-scoped permissions

thepwagner-org · Dec 18, 2023 · 2344fd7 · 2344fd7
1 parent df54b3b
commit 2344fd7
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 67 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,23 +1,25 @@
-name: Build
+# Example repository: https://github.com/thepwagner-org/debian
+
 on:
   workflow_call:
     secrets:
       token:
         required: true
         description: GitHub token
 
-permissions:
-  contents: read
-  packages: write
-  pull-requests: write
-  id-token: write
+permissions: {}
 
 env:
   DOCKER_BUILDKIT: 1
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: write
+      id-token: write
     steps:
       - name: "🌎 Fetching code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -1,4 +1,5 @@
-name: Check
+# Example repository: https://github.com/thepwagner-org/debian
+
 on:
   workflow_call:
     inputs:
@@ -17,14 +18,15 @@ on:
         required: true
         description: A non-Actions GitHub token, so Actions will react to pushes.
 
-permissions:
-  contents: write
-  packages: read
-  pull-requests: write
+permissions: {}
 
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: read
+      pull-requests: write
     steps:
       - name: "🌎 Fetching code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/ci-golang.yaml b/.github/workflows/ci-golang.yaml
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -1,23 +1,24 @@
-name: Publish
+# Example repository: https://github.com/thepwagner-org/debian
+
 on:
   workflow_call:
     secrets:
       token:
         required: true
         description: GitHub token
 
-permissions:
-  contents: read
-  packages: write
-  id-token: write
+permissions: {}
 
 env:
   DOCKER_BUILDKIT: 1
 
 jobs:
   publish:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
       - name: "🌎 Fetching code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/README.md b/README.md
@@ -8,7 +8,8 @@ These are GitHub Actions reusable workflows:
 I'm currently using Trivy to generate SBOMs including vulnerabilty scans, and loving it!
 
 You can see these in use in:
-* https://github.com/thepwagner-org/debian-bullseye - base image
+* https://github.com/thepwagner-org/debian - base image
 * https://github.com/thepwagner-org/duplicity - consumer image
+* https://github.com/thepwagner/github-token-factory-oidc - golang app
 
 This repo is also a demonstration of versioning reusable workflows: changes are staged in the `main` branch, but most users of the workflows follow tagged releases and are pushed updates via RenovateBot pull request - [example](https://github.com/thepwagner-org/debian-bullseye/pull/162).