From 3efc72bab9cf3d4905dc974e9d53bfecf5b4f43c Mon Sep 17 00:00:00 2001 From: vorotamoroz Date: Wed, 8 Jul 2026 03:24:33 +0000 Subject: [PATCH] limit permission --- .github/workflows/finalise-release.yml | 1 + .github/workflows/release.yml | 1 + devs.md | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/finalise-release.yml b/.github/workflows/finalise-release.yml index 50b9d74..6cd3095 100644 --- a/.github/workflows/finalise-release.yml +++ b/.github/workflows/finalise-release.yml @@ -15,6 +15,7 @@ on: jobs: finalise: runs-on: ubuntu-latest + environment: release permissions: contents: write steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 72c9ba2..f92a573 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,6 +25,7 @@ on: jobs: build: runs-on: ubuntu-latest + environment: release permissions: contents: write id-token: write diff --git a/devs.md b/devs.md index 2e4a579..14de1ed 100644 --- a/devs.md +++ b/devs.md @@ -264,6 +264,7 @@ In short, the situation remains unchanged for me, but it means you all become a ## Release Workflow This workflow is for maintainers. Contributors should update `## Unreleased` for user-facing feature or fix PRs, but do not need to run the release workflows. +The `Finalise Release Tags` and `Release Obsidian Plugin` workflows use the `release` GitHub Environment. Configure Environment protection in the repository settings so tag creation and release publication require maintainer approval. - Run the `Prepare Release PR` workflow with the target version. It creates the release branch, updates versions, moves the `## Unreleased` notes to the target version, commits the release preparation, pushes the branch, and opens a draft release PR. - Do not tag the release branch when the PR is first created. Polish the release PR first, especially `updates.md`.