From 37a016576bf3e7071927b5ff3ef132583528cd5f Mon Sep 17 00:00:00 2001 From: Nik Clayton Date: Sun, 4 Feb 2024 20:45:00 +0100 Subject: [PATCH] ci: Make secrets available in CI workflow (#415) Previous code used `pull_request:` which meant `secrets.GRADLE_ENCRYPTION_KEY` was not available, so the configuration cache was not restored. Use `pull_request_target` to give the workflow access to `secrets`, and explicitly downscope the permissions of `GITHUB_TOKEN` to read only. --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e1044f51f..984ff6ac3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,12 +1,17 @@ name: CI +# Run on pull_request_target to access secrets.GRADLE_ENCRYPTION_KEY, +# and ensure permissions are marked read-only + on: push: tags: - '*' - pull_request: + pull_request_target: workflow_dispatch: +permissions: read-all + jobs: build: strategy: