From 086fde3f5265bece6a48ae88d55b00e98ed6d0b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tin=20Tvrtkovi=C4=87?= Date: Sat, 30 Nov 2024 23:25:54 +0100 Subject: [PATCH] harden workflows --- .github/workflows/main.yml | 6 ++++++ .github/workflows/pypi-package.yml | 9 +++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d348ab6b..47d1d2dc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,6 +19,8 @@ jobs: steps: - uses: "actions/checkout@v4" + with: + persist-credentials: false - uses: "pdm-project/setup-pdm@v4" with: @@ -48,6 +50,8 @@ jobs: steps: - uses: "actions/checkout@v4" + with: + persist-credentials: false - uses: "actions/setup-python@v5" with: @@ -104,6 +108,8 @@ jobs: steps: - uses: "actions/checkout@v4" + with: + persist-credentials: false - uses: "pdm-project/setup-pdm@v4" with: python-version: "3.12" diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 63c6b784..d19c1b96 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -10,10 +10,6 @@ on: - published workflow_dispatch: -permissions: - contents: read - id-token: write - jobs: build-package: name: Build & verify package @@ -23,6 +19,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v1 @@ -33,6 +30,8 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write steps: - name: Download packages built by build-and-inspect-python-package @@ -53,6 +52,8 @@ jobs: if: github.event.action == 'published' runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write steps: - name: Download packages built by build-and-inspect-python-package