fix: explicit set workflow permission and move secrets to necessary (#3484) [skip ci]

* fix: explicit set workflow permission and move secrets to necessary steps only * fix: comment * fix: more permission restrict * chore: add read for pypi
2026-03-16 11:13:05 +07:00
parent defee62d99
commit 4a5876df7a
9 changed files with 43 additions and 13 deletions
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -3,9 +3,11 @@ name: publish pypi
 on:
  push:
    tags:
-      - 'v*'
+      - "v*"
  workflow_dispatch:

+permissions: {}
+
 jobs:
  setup_release:
    name: Create Release
@@ -28,7 +30,8 @@ jobs:
      name: pypi
      url: https://pypi.org/p/axolotl
    permissions:
-      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+      contents: read
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4
@@ -46,7 +49,7 @@ jobs:

      - name: Extract tag name
        id: tag
-        run: echo ::set-output name=TAG_NAME::$(echo $GITHUB_REF | cut -d / -f 3)
+        run: echo "TAG_NAME=$(echo $GITHUB_REF | cut -d / -f 3)" >> "$GITHUB_OUTPUT"

      - name: Update version in VERSION file
        run: |