Merge pull request #587 from supabase/chore-review-actions

imor · web-flow · commit 6c67a9ef461c · 2025-04-09T17:54:44.000+05:30
ci: explicit permissions in actions
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -3,6 +3,9 @@ on:
   pull_request:
   push: { branches: [master] }
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,10 @@ on:
     tags:
       - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   release:
     name: Create Release
@@ -87,7 +91,7 @@ jobs:
           cp `find target/release -type f -name "${{ matrix.extension_name }}*"` archive
 
           # name of the package directory before packaging
-          package_dir=${{ matrix.extension_name }}-${{ github.ref_name }}-pg${{ matrix.postgres }}-${{ matrix.box.arch }}-linux-gnu
+          package_dir="${{ matrix.extension_name }}-${{ github.ref_name }}-pg${{ matrix.postgres }}-${{ matrix.box.arch }}-linux-gnu"
 
           # Copy files into directory structure
           mkdir -p ${package_dir}/usr/lib/postgresql/lib
@@ -110,7 +114,7 @@ jobs:
           cd ../../../../../..
 
           # Create install control file
-          extension_version=${{ github.ref_name }}
+          extension_version="${{ github.ref_name }}"
           # strip the leading v
           deb_version=${extension_version:1}
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
   push: { branches: [master] }
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Run tests
