Improve dotnet CI workflow permissions & publish

pwelter34 · pwelter34 · commit c4811dd60289 · 2026-05-07T14:03:51.000-05:00
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
@@ -6,7 +6,6 @@ env:
   DOTNET_ENVIRONMENT: github
   ASPNETCORE_ENVIRONMENT: github
   BUILD_PATH: "${{github.workspace}}/artifacts"
-  COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
 
 on:
   push:
@@ -20,9 +19,14 @@ on:
       - main
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
@@ -49,6 +53,7 @@ jobs:
         continue-on-error: true
         uses: coverallsapp/github-action@v2
         with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           file: "${{github.workspace}}/test/*/TestResults/*/coverage.info"
           format: lcov
 
@@ -67,6 +72,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: success() && github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - name: Download Artifact
@@ -75,23 +83,29 @@ jobs:
           name: packages
 
       - name: Publish Packages GitHub
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          for package in $(find -name "*.nupkg"); do
-            echo "${0##*/}": Pushing $package...
-            dotnet nuget push $package --source https://nuget.pkg.github.com/loresoft/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate
+          for package in $(find . -name "*.nupkg"); do
+            echo "${0##*/}: Pushing $package..."
+            dotnet nuget push "$package" --source https://nuget.pkg.github.com/loresoft/index.json --api-key "$GITHUB_TOKEN" --skip-duplicate
           done
 
       - name: Publish Packages feedz
+        env:
+          FEEDDZ_KEY: ${{ secrets.FEEDDZ_KEY }}
         run: |
-          for package in $(find -name "*.nupkg"); do
-            echo "${0##*/}": Pushing $package...
-            dotnet nuget push $package --source https://f.feedz.io/loresoft/open/nuget/index.json --api-key ${{ secrets.FEEDDZ_KEY }} --skip-duplicate
+          for package in $(find . -name "*.nupkg"); do
+            echo "${0##*/}: Pushing $package..."
+            dotnet nuget push "$package" --source https://f.feedz.io/loresoft/open/nuget/index.json --api-key "$FEEDDZ_KEY" --skip-duplicate
           done
 
       - name: Publish Packages Nuget
         if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          NUGET_KEY: ${{ secrets.NUGET_KEY }}
         run: |
-          for package in $(find -name "*.nupkg"); do
-            echo "${0##*/}": Pushing $package...
-            dotnet nuget push $package --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_KEY }} --skip-duplicate
+          for package in $(find . -name "*.nupkg"); do
+            echo "${0##*/}: Pushing $package..."
+            dotnet nuget push "$package" --source https://api.nuget.org/v3/index.json --api-key "$NUGET_KEY" --skip-duplicate
           done
