From 4d3aa8b5135eafa90f5acc7a0ef0bcf4e6c37b07 Mon Sep 17 00:00:00 2001 From: Keith Date: Sat, 16 Mar 2024 02:29:14 +0900 Subject: [PATCH] ci: update ci permission and limit their environment 1. check checksum 2. merge master to dev --- .github/workflows/check_checksums.yml | 9 ++++----- .github/workflows/merge_released_into_develop.yml | 3 +++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/check_checksums.yml b/.github/workflows/check_checksums.yml index 9be93dc58e..087175598d 100644 --- a/.github/workflows/check_checksums.yml +++ b/.github/workflows/check_checksums.yml @@ -8,16 +8,16 @@ jobs: compare: name: Compare checksums runs-on: macos-latest + environment: Release permissions: - contents: read - actions: read + contents: write # to append checksum for each commit + actions: read # to read artifacts steps: - name: Checkout uses: actions/checkout@v4 - name: Generate checksums from artifacts - run: - ruby ./scripts/release-checksums.rb ${{ github.event.release.tag_name }} | tee generated_checksums.txt + run: ruby ./scripts/release-checksums.rb ${{ github.event.release.tag_name }} | tee generated_checksums.txt - name: Fetch checksums from release note run: | @@ -39,4 +39,3 @@ jobs: - uses: peter-evans/commit-comment@v3 with: body: ${{ steps.comment_body.outputs.body }} - diff --git a/.github/workflows/merge_released_into_develop.yml b/.github/workflows/merge_released_into_develop.yml index aaffa45742..5870eacb21 100644 --- a/.github/workflows/merge_released_into_develop.yml +++ b/.github/workflows/merge_released_into_develop.yml @@ -9,6 +9,9 @@ jobs: merge-to-dev: name: Merge into develop runs-on: ubuntu-latest + environment: Release + permissions: + pull-requests: write steps: - uses: actions/checkout@master - name: Request