From 7a0747947cbe15072562f40fbda6de9897c1c8a0 Mon Sep 17 00:00:00 2001 From: Carson Yang Date: Thu, 3 Apr 2025 14:01:17 +0800 Subject: [PATCH] Enhance GitHub Actions workflows security and permissions (#4445) Signed-off-by: Carson Yang --- .github/workflows/docs-deploy-kubeconfig.yml | 11 +++++++++-- .github/workflows/docs-deploy-vercel.yml | 10 ++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docs-deploy-kubeconfig.yml b/.github/workflows/docs-deploy-kubeconfig.yml index cc6d11ca7..833016117 100644 --- a/.github/workflows/docs-deploy-kubeconfig.yml +++ b/.github/workflows/docs-deploy-kubeconfig.yml @@ -10,6 +10,13 @@ on: jobs: build-fastgpt-docs-images: runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: - name: Checkout uses: actions/checkout@v4 @@ -50,8 +57,8 @@ jobs: uses: docker/login-action@v3 with: registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PAT }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Aliyun uses: docker/login-action@v3 diff --git a/.github/workflows/docs-deploy-vercel.yml b/.github/workflows/docs-deploy-vercel.yml index 0b8b91b50..f0d6e0473 100644 --- a/.github/workflows/docs-deploy-vercel.yml +++ b/.github/workflows/docs-deploy-vercel.yml @@ -20,6 +20,11 @@ jobs: # The type of runner that the job will run on runs-on: ubuntu-22.04 + permissions: + contents: write + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # Job outputs outputs: docs: ${{ steps.filter.outputs.docs }} @@ -71,7 +76,8 @@ jobs: working-directory: docSite/public - name: Deploy to GitHub Pages - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@v4 + if: github.ref == 'refs/heads/main' with: - github_token: ${{ secrets.GH_PAT }} + github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: docSite/public