Merge pull request #2159 from jku/permissions-tweaks

Github workflows: Permissions tweaks

Author: jku

.github/workflows/_test.yml

@@ -2,6 +2,7 @@ on:
   workflow_call:
   # Permissions inherited from caller workflow
 
+permissions: {}
 
 jobs:
   tests:

.github/workflows/cd.yml

@@ -6,8 +6,7 @@ on:
     tags:
       - v*
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   test:
@@ -17,8 +16,6 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     needs: test
-    outputs:
-      release_id: ${{ steps.gh-release.outputs.id }}
     steps:
       - name: Checkout release tag
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
@@ -36,6 +33,30 @@ jobs:
       - name: Build binary wheel and source tarball
         run: python3 -m build --sdist --wheel --outdir dist/ .
 
+      - name: Store build artifacts
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
+        # NOTE: The GitHub release page contains the release artifacts too, but using
+        # GitHub upload/download actions seems robuster: there is no need to compute
+        # download URLs and tampering with artifacts between jobs is more limited.
+        with:
+          name: build-artifacts
+          path: dist
+
+  candidate_release:
+    name: Release candidate on Github for review
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      contents: write # to modify GitHub releases
+    outputs:
+      release_id: ${{ steps.gh-release.outputs.id }}
+    steps:
+      - name: Fetch build artifacts
+        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
+        with:
+          name: build-artifacts
+          path: dist
+
       - id: gh-release
         name: Publish GitHub release candidate
         uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
@@ -45,20 +66,14 @@ jobs:
           body: "Release waiting for review..."
           files: dist/*
 
-      - name: Store build artifacts
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
-        # NOTE: The GitHub release page contains the release artifacts too, but using
-        # GitHub upload/download actions seems robuster: there is no need to compute
-        # download URLs and tampering with artifacts between jobs is more limited.
-        with:
-          name: build-artifacts
-          path: dist
 
   release:
     name: Release
     runs-on: ubuntu-latest
-    needs: build
+    needs: candidate_release
     environment: release
+    permissions:
+      contents: write # to modify GitHub releases
     steps:
       - name: Fetch build artifacts
         uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
@@ -67,6 +82,8 @@ jobs:
           path: dist
 
       - name: Publish binary wheel and source tarball on PyPI
+        # Only attempt pypi upload in upstream repository
+        if: github.repository == 'theupdateframework/python-tuf'
         uses: pypa/gh-action-pypi-publish@37f50c210e3d2f9450da2cd423303d6a14a6e29f
         with:
           user: __token__
@@ -79,7 +96,7 @@ jobs:
             await github.rest.repos.updateRelease({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              release_id: '${{ needs.build.outputs.release_id }}',
+              release_id: '${{ needs.candidate_release.outputs.release_id }}',
               name: '${{ github.ref_name }}',
               body: 'See [CHANGELOG.md](https://github.com/' +
                      context.repo.owner + '/' + context.repo.repo +

.github/workflows/ci.yml

@@ -8,8 +8,7 @@ on:
   pull_request:
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:

.github/workflows/codeql-analysis.yml

@@ -7,6 +7,9 @@ on:
     branches: [ develop ]
   schedule:
     - cron: '30 0 * * 2'
+  workflow_dispatch:
+
+permissions: {}
 
 jobs:
   analyze:

.github/workflows/specification-version-check.yml

@@ -2,7 +2,11 @@ on:
   schedule:
     - cron: "0 13 * * *"
   workflow_dispatch:
+
 name: Specification version check
+
+permissions: {}
+
 jobs:
   # Get the version of the TUF specification the project states it supports
   get-supported-tuf-version: