fix: explicit set workflow permission and move secrets to necessary (#3484) [skip ci]

* fix: explicit set workflow permission and move secrets to necessary steps only * fix: comment * fix: more permission restrict * chore: add read for pypi
2026-03-16 11:13:05 +07:00
parent defee62d99
commit 4a5876df7a
9 changed files with 43 additions and 13 deletions
--- a/.github/workflows/base.yml
+++ b/.github/workflows/base.yml
@@ -15,6 +15,9 @@ on:
      - '.github/workflows/base.yml'
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  build-base:
    if: ${{ github.repository_owner == 'axolotl-ai-cloud' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) }}
@@ -124,7 +127,7 @@ jobs:
          images: |
            axolotlai/axolotl-base
      - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        if: ${{ github.event_name != 'pull_request' && env.HAS_DOCKERHUB_CREDS == 'true' }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -132,7 +135,7 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./docker/${{ matrix.dockerfile }}
@@ -247,7 +250,7 @@ jobs:
          images: |
            axolotlai/axolotl-base-uv
      - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        if: ${{ github.event_name != 'pull_request' && env.HAS_DOCKERHUB_CREDS == 'true' }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -255,7 +258,7 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./docker/${{ matrix.dockerfile }}