diff --git a/.github/workflows/branch_main.yml b/.github/workflows/branch_main.yml index adb4183..786640c 100644 --- a/.github/workflows/branch_main.yml +++ b/.github/workflows/branch_main.yml @@ -5,6 +5,9 @@ on: name: "Main Branch" +permissions: + contents: read + jobs: test: name: "Test" diff --git a/.github/workflows/part_docs.yml b/.github/workflows/part_docs.yml index 20990eb..861699a 100644 --- a/.github/workflows/part_docs.yml +++ b/.github/workflows/part_docs.yml @@ -1,13 +1,5 @@ on: - workflow_call: - inputs: - releaseName: - required: false - type: string - publishToPages: - required: false - type: boolean - default: false + workflow_call: {} name: "Documentation" @@ -52,51 +44,3 @@ jobs: with: path: docs - deploy_pages: - name: "Deploy to GitHub Pages" - - runs-on: ubuntu-latest - - if: ${{ inputs.publishToPages }} - - needs: ["generate"] - - permissions: - pages: write - id-token: write - - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - - steps: - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@v4 - - upload_release: - name: "Upload" - - runs-on: ubuntu-latest - - if: ${{ inputs.releaseName }} - - needs: ["generate"] - - permissions: - contents: write - - steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 - with: - name: docs - path: docs - - run: | - tar -czvf docs.tar.gz docs - - name: Upload - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - gh release upload --clobber "${{ inputs.releaseName }}" \ - docs.tar.gz diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 1b3fcdb..0bfcd0b 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -6,6 +6,9 @@ on: name: "Pull Request" +permissions: + contents: read + jobs: test: name: "Test" diff --git a/.github/workflows/tag-beta.yml b/.github/workflows/tag-beta.yml index ad21a43..0a1dc1c 100644 --- a/.github/workflows/tag-beta.yml +++ b/.github/workflows/tag-beta.yml @@ -5,10 +5,16 @@ on: name: "Beta Tag" +permissions: + contents: read + jobs: release: name: "Release" + permissions: + contents: write + uses: ./.github/workflows/part_release.yml with: releaseName: "${{ github.ref_name }}" diff --git a/.github/workflows/tag-stable.yml b/.github/workflows/tag-stable.yml index 3e9e635..848a8f9 100644 --- a/.github/workflows/tag-stable.yml +++ b/.github/workflows/tag-stable.yml @@ -5,10 +5,16 @@ on: name: "Stable Tag" +permissions: + contents: read + jobs: release: name: "Release" + permissions: + contents: write + uses: ./.github/workflows/part_release.yml with: releaseName: "${{ github.ref_name }}" @@ -22,4 +28,60 @@ jobs: uses: ./.github/workflows/part_docs.yml with: releaseName: "${{ github.ref_name }}" - publishToPages: true + + deploy_pages: + name: "Deploy to GitHub Pages" + + needs: ["release", "docs"] + + runs-on: ubuntu-latest + + if: ${{ inputs.publishToPages }} + + needs: ["generate"] + + permissions: + pages: write + id-token: write + + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 + + upload_release: + name: "Upload" + + needs: ["release", "docs"] + + runs-on: ubuntu-latest + + if: ${{ inputs.releaseName }} + + needs: ["generate"] + + permissions: + contents: write + attestations: write + + steps: + - uses: actions/checkout@v4 + - uses: actions/download-artifact@v4 + with: + name: docs + path: docs + - run: | + tar -czvf docs.tar.gz docs + - name: Upload + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh release upload --clobber "${{ inputs.releaseName }}" \ + docs.tar.gz + - name: "Attest Documentation" + uses: actions/attest@v1 + subject-path: "docs.tar.gz"