Fix Release CI Permissions

maennchen · maennchen · commit 89af9c3a9224 · 2024-10-24T21:29:07.000Z
diff --git a/.github/workflows/part_build.yml b/.github/workflows/part_build.yml
@@ -39,11 +39,11 @@ jobs:
       - name: "Attest provenance"
         uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
         id: attest-provenance
-        if: "${{ github.event.inputs.attest }}"
+        if: "${{ inputs.attest }}"
         with:
           subject-path: 'mix_dependency_submission'
       - name: "Copy provenance"
-        if: "${{ github.event.inputs.attest }}"
+        if: "${{ inputs.attest }}"
         run: cp "$ATTESTATION" mix_dependency_submission.sigstore
         env:
           ATTESTATION: "${{ steps.attest-provenance.outputs.bundle-path }}"
diff --git a/.github/workflows/part_docs.yml b/.github/workflows/part_docs.yml
@@ -38,11 +38,11 @@ jobs:
       - name: "Attest docs provenance"
         uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
         id: attest-docs-provenance
-        if: "${{ github.event.inputs.attest }}"
+        if: "${{ inputs.attest }}"
         with:
           subject-path: 'docs.tar.gz'
       - name: "Copy docs provenance"
-        if: "${{ github.event.inputs.attest }}"
+        if: "${{ inputs.attest }}"
         run: cp "$ATTESTATION" docs.tar.gz.sigstore
         env:
           ATTESTATION: "${{ steps.attest-docs-provenance.outputs.bundle-path }}"
diff --git a/.github/workflows/part_release.yml b/.github/workflows/part_release.yml
@@ -66,5 +66,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          gh release upload --clobber "${{ inputs.releaseName }}" \
+          gh release upload \
+            --repo ${{ github.repository }} \
+            --clobber "${{ inputs.releaseName }}" \
             docs.tar.gz* mix_dependency_submission*
diff --git a/.github/workflows/tag-stable.yml b/.github/workflows/tag-stable.yml
@@ -11,11 +11,21 @@ permissions:
 jobs:
   build:
     name: "Build"
+    
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
 
     uses: ./.github/workflows/part_build.yml
 
   docs:
     name: "Docs"
+    
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
 
     uses: ./.github/workflows/part_docs.yml
 
diff --git a/.github/workflows/tag-unstable.yml b/.github/workflows/tag-unstable.yml
@@ -11,11 +11,21 @@ permissions:
 jobs:
   build:
     name: "Build"
+    
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
 
     uses: ./.github/workflows/part_build.yml
 
   docs:
     name: "Docs"
+    
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
 
     uses: ./.github/workflows/part_docs.yml
 
