Skip to content

Explicitly set GH_TOKEN permissions #173

Explicitly set GH_TOKEN permissions

Explicitly set GH_TOKEN permissions #173

Workflow file for this run

name: Flowzone
on:
pull_request:
types: [opened, synchronize, closed]
branches: [main, master]
# allow external contributions to use secrets within trusted code
pull_request_target:
types: [opened, synchronize, closed]
branches: [main, master]
# Base permissions required by Flowzone
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
permissions:
actions: none
attestations: none
checks: none
contents: read
deployments: none
id-token: none
issues: none
discussions: none
pages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none
# Additional permissions needed by this repo, such as:
packages: write # Allow Flowzone to publish to ghcr.io
jobs:
flowzone:
name: Flowzone
uses: product-os/flowzone/.github/workflows/flowzone.yml@master
# prevent duplicate workflow executions for pull_request and pull_request_target
if: |
(
github.event.pull_request.head.repo.full_name == github.repository &&
github.event_name == 'pull_request'
) || (
github.event.pull_request.head.repo.full_name != github.repository &&
github.event_name == 'pull_request_target'
)
secrets: inherit
with:
docker_images: |
ghcr.io/balena-io-modules/node-systemd
cargo_targets: ''
# The custom publish matrix lists the docker image architectures from
# where we will extract the binaries for publishing.
# The linux/arm/v6 binary below should work for both v6 and
# v7. Node.js doesn't distinguish between these architectures
custom_publish_matrix: |
linux/arm/v6,
linux/arm64,
linux/amd64,
linux/386