chore: use built-in github token to improve security (#758)

TypeStrong · Jul 10, 2022 · 1771858 · 1771858
1 parent 7c70b9e
commit 1771858
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,5 +1,7 @@
 name: CI/CD
 on: [push, pull_request]
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -86,9 +88,11 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
-    env:
-      GH_TOKEN: ${{ secrets.GH_PERSONAL_TOKEN }}
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    permissions:
+      issues: write
+      contents: write
+      pull-requests: write
+      deployments: write
     needs: [build, test]
     if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/alpha' || github.ref == 'refs/heads/beta')
     steps:
@@ -110,3 +114,6 @@ jobs:
 
       - name: Release
         run: yarn semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}