Merge pull request #4856 from arturcic/chore/github-actions-secret-cleanup

chore(build): reduce GitHub Actions secret usage

Author: arturcic

.github/workflows/_docker.yml

@@ -18,6 +18,9 @@ env:
   DOTNET_INSTALL_DIR: "./.dotnet"
   DOTNET_ROLL_FORWARD: "Major"
 
+permissions:
+  packages: write
+
 jobs:
   docker:
     name: ${{ matrix.docker_distro }} - net${{ matrix.dotnet_version }}
@@ -64,4 +67,4 @@ jobs:
         docker_registry_username: ${{ secrets.DOCKER_USERNAME }}
         docker_registry_password: ${{ secrets.DOCKER_PASSWORD }}
         github_registry_username: ${{ github.repository_owner }}
-        github_registry_password: ${{ secrets.DOCKER_GITHUB_TOKEN }}
+        github_registry_password: ${{ github.token }}

.github/workflows/_docker_manifests.yml

@@ -12,6 +12,9 @@ env:
   DOTNET_INSTALL_DIR: "./.dotnet"
   DOTNET_ROLL_FORWARD: "Major"
 
+permissions:
+  packages: write
+
 jobs:
   manifest:
     name: ${{ matrix.docker_distro }} - net${{ matrix.dotnet_version }}
@@ -43,4 +46,4 @@ jobs:
         docker_registry_username: ${{ secrets.DOCKER_USERNAME }}
         docker_registry_password: ${{ secrets.DOCKER_PASSWORD }}
         github_registry_username: ${{ github.repository_owner }}
-        github_registry_password: ${{ secrets.DOCKER_GITHUB_TOKEN }}
+        github_registry_password: ${{ github.token }}

.github/workflows/ci.yml

@@ -34,7 +34,7 @@ env:
   DOTNET_NOLOGO: 1
   TESTINGPLATFORM_TELEMETRY_OPTOUT: 1
 
-  ENABLED_DIAGNOSTICS: ${{ secrets.ENABLED_DIAGNOSTICS }}
+  ENABLED_DIAGNOSTICS: ${{ vars.ENABLED_DIAGNOSTICS }}
 
 permissions:
   id-token: write
@@ -122,8 +122,14 @@ jobs:
     name: Release
     needs: [ publish, docker_linux_manifests ]
     runs-on: windows-2025
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+      attestations: write
+      issues: write
     env:
-      GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+      GITHUB_TOKEN: ${{ github.token }}
     steps:
     -
       name: Checkout

.github/workflows/docs.yml

@@ -121,11 +121,14 @@ jobs:
         reporter: ${{ steps.reporter.outputs.value }}
 
   publish:
+    if: github.event_name == 'repository_dispatch' || github.event_name == 'workflow_dispatch'
     name: Publish docs
     needs: [ validate ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     env:
-      GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+      GITHUB_TOKEN: ${{ github.token }}
       GITHUB_USERNAME: ${{ github.actor }}
     steps:
     -

.github/workflows/mkdocs.yml

@@ -29,6 +29,9 @@ defaults:
   run:
     shell: pwsh
 
+permissions:
+  contents: write
+
 jobs:
   docs:
     name: Update Markdown (embedded snippets)
@@ -38,8 +41,6 @@ jobs:
         name: Checkout
         uses: actions/checkout@v6
         if: github.event_name == 'push'
-        with:
-          token: ${{ secrets.PUSH_GITHUB_TOKEN }}
       -
         name: Checkout
         uses: actions/checkout@v6
@@ -68,4 +69,4 @@ jobs:
           git config user.email 'gittoolsbot@outlook.com'
           git commit -m 'Docs changes' --allow-empty
           git push --force
-        if: steps.status.outputs.has_changes == '1'
+        if: steps.status.outputs.has_changes == '1' && github.event_name == 'push'

.github/workflows/public-api.yml

@@ -10,21 +10,19 @@ defaults:
     shell: pwsh
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   homebrew:
     permissions:
-      contents: none
+      contents: write
     name: Mark public API as shipped
     runs-on: ubuntu-24.04
     steps:
       -
         name: Checkout
         uses: actions/checkout@v6
         if: github.event_name == 'repository_dispatch' || github.event_name == 'workflow_dispatch'
-        with:
-          token: ${{ secrets.PUSH_GITHUB_TOKEN }}
       -
         name: Mark public API as shipped
         run: ./src/mark-shipped.ps1