ci: Make secrets available in CI workflow (#415)
Previous code used `pull_request:` which meant `secrets.GRADLE_ENCRYPTION_KEY` was not available, so the configuration cache was not restored. Use `pull_request_target` to give the workflow access to `secrets`, and explicitly downscope the permissions of `GITHUB_TOKEN` to read only.
This commit is contained in:
Nik Clayton
GitHub
parent
54d7888316
commit
37a016576b
|
|
@ -1,12 +1,17 @@
|
||||||
name: CI
|
name: CI
|
||||||
|
|
||||||
|
# Run on pull_request_target to access secrets.GRADLE_ENCRYPTION_KEY,
|
||||||
|
# and ensure permissions are marked read-only
|
||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
tags:
|
tags:
|
||||||
- '*'
|
- '*'
|
||||||
pull_request:
|
pull_request_target:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
strategy:
|
strategy:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue