From af530544d99cdad2e3d6b7dc71f61db50d791ba3 Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 10 Apr 2026 16:11:36 -0500 Subject: [PATCH 01/12] Add fork-safe PR build workflow Dedicated PR workflow that calls bakery-build-pr.yml, which is safe for fork PRs (no secrets required). Consolidates all three build types (production, development, session) into a single workflow with a unified CI gate. --- .github/workflows/pr.yml | 54 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/pr.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 0000000..46477ce --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,54 @@ +name: Pull Request +on: + pull_request: + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} + cancel-in-progress: true + +jobs: + ci: + name: CI + if: always() + runs-on: ubuntu-latest + permissions: {} + timeout-minutes: 10 + needs: + - production + - development + - session + steps: + - uses: re-actors/alls-green@release/v1 + with: + jobs: ${{ toJSON(needs) }} + + production: + name: Production + permissions: + contents: read + packages: write + uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main + with: + dev-versions: "exclude" + matrix-versions: "exclude" + + development: + name: Development + permissions: + contents: read + packages: write + uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main + with: + dev-versions: "only" + matrix-versions: "exclude" + + session: + name: Session + permissions: + contents: read + packages: write + uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main + with: + matrix-versions: "only" From 3f62667c384ec916c1b92278bb6398c26784001f Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 10 Apr 2026 16:11:45 -0500 Subject: [PATCH 02/12] Remove pull_request trigger from build workflows PR builds are now handled by the dedicated pr.yml workflow which uses bakery-build-pr.yml (fork-safe, no secrets). --- .github/workflows/development.yml | 2 -- .github/workflows/production.yml | 2 -- .github/workflows/session.yml | 2 -- 3 files changed, 6 deletions(-) diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index a051a28..086be99 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -15,8 +15,6 @@ on: # Hourly rebuild of dev images - cron: "45 4 * * *" # At 04:45 every day - pull_request: - push: branches: - main diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index dc4abbe..d8f6697 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -6,8 +6,6 @@ on: # Weekly rebuild of all images, to pick up any upstream changes. - cron: "15 3 * * 0" # At 03:15 on Sunday - pull_request: - push: branches: - main diff --git a/.github/workflows/session.yml b/.github/workflows/session.yml index 2295b7e..05b61c0 100644 --- a/.github/workflows/session.yml +++ b/.github/workflows/session.yml @@ -6,8 +6,6 @@ on: # Weekly rebuild of all images, to pick up any upstream changes. - cron: "15 4 * * 0" # At 04:15 on Sunday - pull_request: - push: branches: - main From 12c41b2f9394c643c0d44d567ccd8cc391c570f2 Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 10 Apr 2026 16:12:02 -0500 Subject: [PATCH 03/12] Fix session.yml cron condition mismatch The if condition referenced cron '15 3 * * 0' but the actual schedule is '15 4 * * 0'. With pull_request removed, simplify to check event_name directly instead of matching cron strings. --- .github/workflows/session.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/session.yml b/.github/workflows/session.yml index 05b61c0..bd28c88 100644 --- a/.github/workflows/session.yml +++ b/.github/workflows/session.yml @@ -44,7 +44,7 @@ jobs: # Builds all versions of each image in parallel. # # Run on merges to main, or on weekly scheduled re-builds. - if: contains(fromJSON('["push", "pull_request"]'), github.event_name) || github.event.schedule == '15 3 * * 0' + if: github.event_name == 'push' || github.event_name == 'schedule' permissions: contents: read packages: write From e2299d3df9d9cbc4acd435530e4efa33db3f901a Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 10 Apr 2026 16:12:30 -0500 Subject: [PATCH 04/12] Add permissions declarations Set top-level permissions: {} on all workflows and per-job permissions: {} on CI meta-jobs and the issues job. This follows the principle of least privilege by requiring each job to explicitly declare the permissions it needs. --- .github/workflows/development.yml | 3 +++ .github/workflows/issues.yml | 3 +++ .github/workflows/production.yml | 3 +++ .github/workflows/release.yml | 2 ++ .github/workflows/session.yml | 3 +++ 5 files changed, 14 insertions(+) diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index 086be99..8f53667 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -19,6 +19,8 @@ on: branches: - main +permissions: {} + concurrency: # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags # A pull_request will reuse the same group thus enabling cancelation, all others receive a unique run_id @@ -35,6 +37,7 @@ jobs: if: always() runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 needs: - dev diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index 25bd6c0..1b95e3a 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -4,11 +4,14 @@ on: types: - opened +permissions: {} + jobs: issue: # only run in posit-dev/images-workbench. if: github.repository == 'posit-dev/images-workbench' runs-on: ubuntu-latest + permissions: {} steps: - name: GitHub App Token diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index d8f6697..1e6148e 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -10,6 +10,8 @@ on: branches: - main +permissions: {} + concurrency: # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags # A pull_request will reuse the same group thus enabling cancelation, all others receive a unique run_id @@ -26,6 +28,7 @@ jobs: if: always() runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 needs: - lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a22baa..dc1e2b8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,8 @@ on: required: true type: string +permissions: {} + jobs: release: uses: posit-dev/images-shared/.github/workflows/product-release.yml@main diff --git a/.github/workflows/session.yml b/.github/workflows/session.yml index bd28c88..48aca5d 100644 --- a/.github/workflows/session.yml +++ b/.github/workflows/session.yml @@ -10,6 +10,8 @@ on: branches: - main +permissions: {} + concurrency: # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags # A pull_request will reuse the same group thus enabling cancelation, all others receive a unique run_id @@ -21,6 +23,7 @@ jobs: name: CI if: always() runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 needs: - build From 9c0cb9161828c85ca8bf320913ad20d10772d49f Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 10 Apr 2026 16:20:42 -0500 Subject: [PATCH 05/12] Remove top-level permissions from caller workflows Top-level permissions on workflows that call reusable workflows acts as a ceiling, blocking job-level grants from reaching the callee. Remove it from all workflows except issues.yml (which doesn't call reusable workflows). Per-job permissions remain. --- .github/workflows/development.yml | 1 - .github/workflows/pr.yml | 1 - .github/workflows/production.yml | 1 - .github/workflows/release.yml | 1 - .github/workflows/session.yml | 1 - 5 files changed, 5 deletions(-) diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index 8f53667..0e0df03 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -19,7 +19,6 @@ on: branches: - main -permissions: {} concurrency: # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 46477ce..8b762cb 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -2,7 +2,6 @@ name: Pull Request on: pull_request: -permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index 1e6148e..8a59f7a 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -10,7 +10,6 @@ on: branches: - main -permissions: {} concurrency: # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dc1e2b8..25d13af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,6 @@ on: required: true type: string -permissions: {} jobs: release: diff --git a/.github/workflows/session.yml b/.github/workflows/session.yml index 48aca5d..c22ac96 100644 --- a/.github/workflows/session.yml +++ b/.github/workflows/session.yml @@ -10,7 +10,6 @@ on: branches: - main -permissions: {} concurrency: # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags From 7dc1fc598878a109f7468ff3752d96639f967bc6 Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 10 Apr 2026 16:27:59 -0500 Subject: [PATCH 06/12] Pin third-party actions to commit SHAs Mutable tags can be overwritten, allowing supply chain attacks. Pin to immutable commit SHAs with specific version comments so Dependabot can track updates. --- .github/workflows/development.yml | 2 +- .github/workflows/issues.yml | 6 +++--- .github/workflows/pr.yml | 2 +- .github/workflows/production.yml | 2 +- .github/workflows/session.yml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index 0e0df03..8e45bef 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -42,7 +42,7 @@ jobs: - dev steps: - - uses: re-actors/alls-green@release/v1 + - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 id: alls-green with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index 1b95e3a..e0123c1 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -15,20 +15,20 @@ jobs: steps: - name: GitHub App Token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 id: app-token with: app-id: ${{ secrets.WORKBENCH_IDE_RELEASE_APP_ID }} private-key: ${{ secrets.WORKBENCH_IDE_RELEASE_PEM }} - name: Add to Platform Carbon Project - uses: actions/add-to-project@v1.0.2 + uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: github-token: ${{ steps.app-token.outputs.token }} project-url: https://github.com/orgs/posit-dev/projects/17 - name: Add Default Labels - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 with: github_token: ${{ steps.app-token.outputs.token }} labels: | diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 8b762cb..d0871cc 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -19,7 +19,7 @@ jobs: - development - session steps: - - uses: re-actors/alls-green@release/v1 + - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index 8a59f7a..4ac09fe 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -34,7 +34,7 @@ jobs: - build steps: - - uses: re-actors/alls-green@release/v1 + - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 id: alls-green with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/session.yml b/.github/workflows/session.yml index c22ac96..dcd8feb 100644 --- a/.github/workflows/session.yml +++ b/.github/workflows/session.yml @@ -27,7 +27,7 @@ jobs: needs: - build steps: - - uses: re-actors/alls-green@release/v1 + - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 id: alls-green with: jobs: ${{ toJSON(needs) }} From 5e8b695cc8aa7dae9fdede9f8e3b003e82d6f54b Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 10 Apr 2026 16:29:59 -0500 Subject: [PATCH 07/12] Add zizmor static analysis to CI Add zizmor job to PR workflows and a .github/zizmor.yml policy that allows ref-pinned images-shared refs while requiring hash-pinning for all third-party actions. --- .github/workflows/pr.yml | 12 ++++++++++++ .github/zizmor.yml | 9 +++++++++ 2 files changed, 21 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d0871cc..6655bfe 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -18,6 +18,7 @@ jobs: - production - development - session + - zizmor steps: - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: @@ -51,3 +52,14 @@ jobs: uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main with: matrix-versions: "only" + + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..0533c12 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +rules: + unpinned-uses: + config: + policies: + # Shared workflows and composite actions from images-shared + # are kept at @main intentionally. + "posit-dev/images-shared/*": ref-pin + "*": hash-pin + From 08e2aa9fce245c45ba4a06d317b1cb7fb5b94c28 Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Mon, 13 Apr 2026 11:41:07 -0500 Subject: [PATCH 08/12] Add permissions and timeout to release workflow The release workflow was the only workflow without explicit permissions, inheriting the repo default. Add least-privilege permissions (contents:write, pull-requests:write) to match what product-release.yml needs, plus a 10-minute timeout. --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 25d13af..d545df9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,10 @@ on: jobs: release: + timeout-minutes: 10 + permissions: + contents: write + pull-requests: write uses: posit-dev/images-shared/.github/workflows/product-release.yml@main with: version: ${{ inputs.version }} From a9b69cffb833642efd6cd779e69860a1151463a0 Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Mon, 13 Apr 2026 11:56:47 -0500 Subject: [PATCH 09/12] Tighten PR workflow permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Downgrade packages:write to packages:read on PR build jobs — PR builds never push, cache is read-only - Add security-events:write to zizmor job for SARIF upload to the Security tab --- .github/workflows/pr.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 6655bfe..f6b36cd 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -28,7 +28,7 @@ jobs: name: Production permissions: contents: read - packages: write + packages: read uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main with: dev-versions: "exclude" @@ -38,7 +38,7 @@ jobs: name: Development permissions: contents: read - packages: write + packages: read uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main with: dev-versions: "only" @@ -48,7 +48,7 @@ jobs: name: Session permissions: contents: read - packages: write + packages: read uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main with: matrix-versions: "only" @@ -58,6 +58,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + security-events: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: From ef8f06546e7516de73403f65208df3276576466e Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 24 Apr 2026 14:56:28 -0500 Subject: [PATCH 10/12] Fix session.yml dispatch and PR cache permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add workflow_dispatch to the session build job's if condition — it was excluded, making manual dispatch a no-op despite the push input already handling it. Grant packages: write on PR caller jobs so bakery-build-pr.yml can write to GHCR caches on internal PRs. Fork PRs are unaffected by GitHub's platform-enforced read-only token. --- .github/workflows/pr.yml | 6 +++--- .github/workflows/session.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f6b36cd..386dc39 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -28,7 +28,7 @@ jobs: name: Production permissions: contents: read - packages: read + packages: write uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main with: dev-versions: "exclude" @@ -38,7 +38,7 @@ jobs: name: Development permissions: contents: read - packages: read + packages: write uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main with: dev-versions: "only" @@ -48,7 +48,7 @@ jobs: name: Session permissions: contents: read - packages: read + packages: write uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main with: matrix-versions: "only" diff --git a/.github/workflows/session.yml b/.github/workflows/session.yml index dcd8feb..7d7db46 100644 --- a/.github/workflows/session.yml +++ b/.github/workflows/session.yml @@ -46,7 +46,7 @@ jobs: # Builds all versions of each image in parallel. # # Run on merges to main, or on weekly scheduled re-builds. - if: github.event_name == 'push' || github.event_name == 'schedule' + if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' permissions: contents: read packages: write From d6dc182be1cf222adad4a1d72fa9899b689c1189 Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 24 Apr 2026 15:01:44 -0500 Subject: [PATCH 11/12] Clean up stale comments and archived action Remove stale concurrency comments referencing pull_request trigger which no longer exists on these workflows. Replace archived actions-ecosystem/action-add-labels with gh issue edit. --- .github/workflows/development.yml | 2 -- .github/workflows/issues.yml | 10 +++++----- .github/workflows/production.yml | 2 -- .github/workflows/session.yml | 2 -- 4 files changed, 5 insertions(+), 11 deletions(-) diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index 8e45bef..685dc34 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -21,8 +21,6 @@ on: concurrency: - # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags - # A pull_request will reuse the same group thus enabling cancelation, all others receive a unique run_id group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index e0123c1..338dc2c 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -28,8 +28,8 @@ jobs: project-url: https://github.com/orgs/posit-dev/projects/17 - name: Add Default Labels - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 - with: - github_token: ${{ steps.app-token.outputs.token }} - labels: | - docker + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + GH_REPO: ${{ github.repository }} + ISSUE_NUMBER: ${{ github.event.issue.number }} + run: gh issue edit "$ISSUE_NUMBER" --add-label "docker" diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index 4ac09fe..a7f8fb7 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -12,8 +12,6 @@ on: concurrency: - # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags - # A pull_request will reuse the same group thus enabling cancelation, all others receive a unique run_id group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/session.yml b/.github/workflows/session.yml index 7d7db46..e2a0962 100644 --- a/.github/workflows/session.yml +++ b/.github/workflows/session.yml @@ -12,8 +12,6 @@ on: concurrency: - # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags - # A pull_request will reuse the same group thus enabling cancelation, all others receive a unique run_id group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true From a51825bcf47cb736992fda4a65818c1f2a6babb1 Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 24 Apr 2026 16:29:17 -0500 Subject: [PATCH 12/12] Guard release job against non-dispatch triggers GitHub creates a check run for modified workflow files on push even when the file only triggers on workflow_dispatch. The run fails because inputs.version is undefined in a push context. --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d545df9..0f6b82e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ on: jobs: release: + if: github.event_name == 'workflow_dispatch' timeout-minutes: 10 permissions: contents: write