ivuorinen/base-configs-markdownlint
1
0
Fork 0
mirror of https://github.com/ivuorinen/base-configs-markdownlint.git synced 2026-03-01 17:54:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): use GITHUB_TOKEN for semantic-release and harden workflow permissions

Browse Source 
Replace secrets.PAT with secrets.GITHUB_TOKEN in publish.yml so
semantic-release can comment on PRs/issues using the built-in token
scoped by job-level permissions.

Set top-level permissions to empty object across all workflows to
follow the principle of least privilege, relying on job-level
permissions blocks instead.
This commit is contained in:
Ismo Vuorinen
2026-02-27 22:50:05 +02:00
parent bed0d1ea5e
commit 9e10b3e2b2
5 changed files with 7 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/publish.yml vendored
View File

@@ -6,7 +6,7 @@ on:
branches:
- main
permissions: read-all
permissions: {}
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -72,5 +72,5 @@ jobs:
- name: Semantic Release
uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
env:
GITHUB_TOKEN: ${{ secrets.PAT }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}