chore(ci): separate permissions for build and publish jobs

lukekarrys · lukekarrys · commit b2d4eb3586cf · 2022-08-11T15:54:05.000-07:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,25 +1,16 @@
 name: Publish
 
-
 on:
   push:
     branches:
     - main
-
-  # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
-
-  # This gets called from the update-cli workflow
   workflow_call:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 jobs:
   build-and-upload:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     # Check out the content (source branch)
@@ -46,6 +37,9 @@ jobs:
         path: './public'
 
   deploy:
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
@@ -1,12 +1,9 @@
 name: Update CLI
 
 on:
+  workflow_dispatch:
   schedule:
   - cron: "14 2 * * *"
-  workflow_dispatch:
-
-permissions:
-  contents: write
 
 jobs:
   update-cli:
@@ -16,6 +13,10 @@ jobs:
     steps:
     - name: Check out source
       uses: actions/checkout@v3
+    - name: Setup git user
+      run: |
+        git config --global user.email "npm-cli+bot@github.com"
+        git config --global user.name "npm CLI robot"
     - name: Use Node.js
       uses: actions/setup-node@v3
       with:
@@ -38,8 +39,6 @@ jobs:
       if: steps.status.outputs.has_changes == '1'
       run: |
         git add --verbose .
-        git config user.name 'npm CLI robot'
-        git config user.email 'npm-cli+bot@github.com'
         git commit -m 'CLI documentation update from CI'
         git push origin main
 
