chore: update GitHub Actions workflows for permissions and token usage

- Changed permissions in auto-tag.yml and release.yml to 'write-all' for broader access. - Updated GITHUB_TOKEN to use RELEASE_TOKEN in both workflows for enhanced security. - Streamlined the workflows by removing redundant permission specifications.
2025-06-08 04:22:06 +08:00 · 2024-12-30 18:07:39 +08:00 · 2024-12-30 18:07:39 +08:00 · dff58fb4fb
commit dff58fb4fb
parent fa53723283
2 changed files with 6 additions and 16 deletions
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@ -10,13 +10,11 @@ on:
      - "LICENSE"
      - ".gitignore"

+permissions: write-all
+
 jobs:
  auto-tag:
    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
    outputs:
      new_tag: ${{ steps.get_latest_tag.outputs.version }}
    steps:
@ -41,7 +39,7 @@ jobs:

      - name: Create new tag
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          new_tag=${{ steps.get_latest_tag.outputs.version }}
          git config --global user.name 'github-actions[bot]'
@ -52,9 +50,5 @@ jobs:
  release:
    needs: auto-tag
    uses: ./.github/workflows/release.yml
-    permissions:
-      contents: write
-      packages: write
-      issues: write
-      pull-requests: write
+    permissions: write-all
    secrets: inherit
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -6,11 +6,7 @@ on:
    tags:
      - "v*"

-permissions:
-  contents: write
-  packages: write
-  issues: write
-  pull-requests: write
+permissions: write-all

 jobs:
  goreleaser:
@ -51,5 +47,5 @@ jobs:
          version: v1.21.2
          args: release --clean
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}