ci: remove unnecessary publish workflow permissions (#204)

In #202, trusted publishing to PyPI was introduced, requiring permission id-token: write. However, all permissions were granted to the CI, which is not necessary. This PR restricts the workflow permissions to those which are necessary.
datamole-ai · Feb 15, 2024 · 4804878 · 4804878
1 parent 8b3fc38
commit 4804878
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -17,9 +17,12 @@ jobs:
   publish-python:
     runs-on: ubuntu-22.04  # convco needs GLIBC_2.32 which is not in 20.04
     environment: publish
-    # IMPORTANT: trusted publishing requires permission: id-token: write! Without it, the trusted publishing will not work!
-    # If the permission is the only one that is set, all other permissions are automatically set to none, which may cause permissions issues within the job.
-    permissions: write-all
+    # Trusted publishing requires permission: id-token: write
+    # contents: read to access the repository's contents is set by default,
+    # however when permissions are explicitly set, the default is overridden.
+    permissions:
+      id-token: write
+      contents: read
     outputs:
       new_version: ${{ steps.set-vars.outputs.new_version }}
     steps: