Add package permissions

edgefirst-dev · Oct 14, 2024 · 270fe0c · 270fe0c
1 parent b1cfa69
commit 270fe0c
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 6 deletions.
diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml
@@ -12,6 +12,13 @@ on:
           - minor
           - patch
 
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   bump-version:
     name: Bump version

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,6 +2,13 @@ name: CI
 
 on: [push]
 
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build:
     name: Build

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -5,6 +5,9 @@ on:
     branches: ["main"]
   workflow_dispatch:
 
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 permissions:
   contents: read
   pages: write

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,13 +4,18 @@ on:
   release:
     types: [published]
 
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
 jobs:
   publish-gpr:
     name: "Publish to GitHub Package Registry"
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     steps:
       - uses: actions/checkout@v4
       - uses: oven-sh/setup-bun@v2
@@ -30,9 +35,6 @@ jobs:
   publish-npm:
     name: "Publish to npm"
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
     steps:
       - uses: actions/checkout@v4
       - uses: oven-sh/setup-bun@v2