Commit aad3c10
ci(release): scope publish job permissions to contents:read
Add an explicit `permissions: contents: read` block to the
`run-on-release` job in the Maven Central publish workflow.
This is the sole automated production path that publishes ably-java
artifacts to Sonatype / Maven Central, so it warrants the strictest
permissions footprint we can give it.
Authentication to Maven Central is entirely via repository secrets
passed as Gradle environment variables (`SONATYPE_USERNAME`,
`SONATYPE_PASSWORD`) plus the in-memory GPG signing key
(`SIGNING_IN_MEMORY_KEY`, `SIGNING_KEY_ID`, `SIGNING_PASSWORD`). None
of those depend on `GITHUB_TOKEN` scopes. The job performs no git
push, no tag creation, no release publishing, and no other API call
against the GitHub side, so `contents: read` covers everything the
job actually does.
Closes 1 zizmor `excessive-permissions` finding.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 4f1f6ab commit aad3c10
1 file changed
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| 10 | + | |
| 11 | + | |
10 | 12 | | |
11 | 13 | | |
12 | 14 | | |
| |||
0 commit comments