diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index ba331178f..cc7b3ea76 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -34,6 +34,9 @@ group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}-${{ inputs.is_PR && 'is_PR' || 'not_PR'}} cancel-in-progress: true + permissions: + contents: read + env: STORE_FILE_PATH: /tmp/app-debug.keystore BUILD_JSON_PATH: build.json @@ -44,7 +47,13 @@ timeout-minutes: 60 runs-on: ubuntu-latest if: github.repository_owner == 'Acode-Foundation' - + + permissions: +# contents write is needed to create Nightly Releases. + contents: write + issues: write + pull-requests: write + outputs: release_output_url: ${{ steps.release.outputs.url }} updated_version: ${{ steps.update-version.outputs.UPDATED_VERSION}} diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index 5399eb0bf..103d35aed 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -7,7 +7,7 @@ on: # - '.github/**' types: [labeled, synchronize] - +# defined at workflow-level as the workflow, Requires these permissions to function. permissions: contents: write pull-requests: write @@ -23,7 +23,8 @@ jobs: job_trigger: name: Trigger Preview Release (if conditions met) if: | - (github.repository_owner == 'Acode-Foundation' + github.event.pull_request.draft == false + && (github.repository_owner == 'Acode-Foundation' && (!contains(github.event.pull_request.labels.*.name, 'DO NOT PREVIEW RELEASE') && (contains(github.event.pull_request.labels.*.name, 'Bypass check - PREVIEW RELEASE') || contains(github.event.pull_request.labels.*.name, 'CI: RUN ON-DEMAND PREVIEW RELEASES')))