Skip to content

Commit 98504a8

Browse files
ldenningtonldennington
committed
release: move secrets to workflow environment
Migrate applicable secrets to a new 'release' workflow environment. This is a security measure to help ensure secrets cannot be accessed by those without proper permissions.
1 parent 8db67cd commit 98504a8

File tree

2 files changed

+9
-0
lines changed

2 files changed

+9
-0
lines changed

.github/workflows/release-homebrew.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ on:
66
jobs:
77
release:
88
runs-on: ubuntu-latest
9+
environment: release
910
steps:
1011
- name: Update Homebrew tap
1112
uses: mjcheetham/[email protected]

.github/workflows/release.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ jobs:
1010
osx-build:
1111
name: Build macOS
1212
runs-on: macos-latest
13+
environment: release
1314
strategy:
1415
matrix:
1516
runtime: [ osx-x64, osx-arm64 ]
@@ -70,6 +71,7 @@ jobs:
7071
name: Sign macOS payload
7172
# ESRP service requires signing to run on Windows
7273
runs-on: windows-latest
74+
environment: release
7375
strategy:
7476
matrix:
7577
runtime: [ osx-x64, osx-arm64 ]
@@ -172,6 +174,7 @@ jobs:
172174
name: Sign and notarize macOS package
173175
# ESRP service requires signing to run on Windows
174176
runs-on: windows-latest
177+
environment: release
175178
strategy:
176179
matrix:
177180
runtime: [ osx-x64, osx-arm64 ]
@@ -242,6 +245,7 @@ jobs:
242245
win-sign:
243246
name: Build and Sign Windows
244247
runs-on: windows-latest
248+
environment: release
245249
steps:
246250
- uses: actions/checkout@v3
247251

@@ -375,6 +379,7 @@ jobs:
375379
needs: linux-build
376380
# ESRP service requires signing to run on Windows
377381
runs-on: windows-latest
382+
environment: release
378383
steps:
379384
- uses: actions/checkout@v3
380385

@@ -452,6 +457,7 @@ jobs:
452457
name: Sign .NET tool payload
453458
# ESRP service requires signing to run on Windows
454459
runs-on: windows-latest
460+
environment: release
455461
needs: dotnet-tool-build
456462
steps:
457463
- uses: actions/checkout@v3
@@ -545,6 +551,7 @@ jobs:
545551
name: Sign .NET tool package
546552
# ESRP service requires signing to run on Windows
547553
runs-on: windows-latest
554+
environment: release
548555
needs: dotnet-tool-pack
549556
steps:
550557
- uses: actions/checkout@v3
@@ -690,6 +697,7 @@ jobs:
690697
create-github-release:
691698
name: Publish GitHub draft release
692699
runs-on: ubuntu-latest
700+
environment: release
693701
needs: [ validate ]
694702
steps:
695703
- uses: actions/checkout@v3

0 commit comments

Comments
 (0)