fix: various actions workflow security improvements (#17651)

* fix: set persist-credentials explicitly for checkout https://woodruffw.github.io/zizmor/audits/#artipacked * fix: minimize permissions scope for workflows https://woodruffw.github.io/zizmor/audits/#excessive-permissions * fix: remove potential template injections https://woodruffw.github.io/zizmor/audits/#template-injection * fix: only pass needed secrets in workflow_call https://woodruffw.github.io/zizmor/audits/#secrets-inherit * fix: push perm for single-arch build jobs I hadn't realised these push to the registry too :x * chore: fix formatting * fix: $ * fix: retag job quoting --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-18 22:10:27 +02:00
parent 0e6ac87645
commit 504930947d
18 changed files with 269 additions and 63 deletions
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -4,18 +4,22 @@ on:
  release:
    types: [published]

-permissions:
-  packages: write
+permissions: {}

 jobs:
  publish:
    name: Publish `@immich/sdk`
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./open-api/typescript-sdk
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
      # Setup .npmrc file to publish to npm
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with: