From d80b4e5d6215c4276e0a59dcaffd71c1f5963078 Mon Sep 17 00:00:00 2001 From: messense Date: Fri, 3 Mar 2023 13:07:53 +0800 Subject: [PATCH] Fine-grained GitHub Actions permission in `generate-ci` --- src/ci.rs | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/src/ci.rs b/src/ci.rs index bf6613b15..2f63fb180 100644 --- a/src/ci.rs +++ b/src/ci.rs @@ -178,6 +178,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs:\n", version = env!("CARGO_PKG_VERSION"), ); @@ -432,20 +435,31 @@ jobs:\n", runs-on: ubuntu-latest if: "startsWith(github.ref, 'refs/tags/')" needs: [{needs}] - steps: +"#, + needs = needs.join(", ") + )); + if platforms.contains(&Platform::Emscripten) { + conf.push_str( + r#" permissions: + # Used to upload release artifacts + contents: write +"#, + ); + } + conf.push_str( + r#" steps: - uses: actions/download-artifact@v3 with: name: wheels - name: Publish to PyPI uses: PyO3/maturin-action@v1 env: - MATURIN_PYPI_TOKEN: ${{{{ secrets.PYPI_API_TOKEN }}}} + MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }} with: command: upload args: --skip-existing * "#, - needs = needs.join(", ") - )); + ); if platforms.contains(&Platform::Emscripten) { conf.push_str( " - uses: actions/download-artifact@v3 @@ -505,6 +519,9 @@ mod tests { pull_request: workflow_dispatch: + permissions: + contents: read + jobs: linux: runs-on: ubuntu-latest @@ -629,6 +646,9 @@ mod tests { pull_request: workflow_dispatch: + permissions: + contents: read + jobs: linux: runs-on: ubuntu-latest @@ -747,6 +767,9 @@ mod tests { pull_request: workflow_dispatch: + permissions: + contents: read + jobs: linux: runs-on: ubuntu-latest @@ -910,6 +933,9 @@ mod tests { pull_request: workflow_dispatch: + permissions: + contents: read + jobs: linux: runs-on: ubuntu-latest