File tree Expand file tree Collapse file tree 1 file changed +32
-0
lines changed
Expand file tree Collapse file tree 1 file changed +32
-0
lines changed Original file line number Diff line number Diff line change 1+ # IMPORTANT: When using any workflow trigger that is triggered in some way by another workflow, extra care must be taken with tokens.
2+ # The workflow **MUST** always use the token that is passed down from the triggering workflow. This is to prevent intentionally
3+ # permissionless workflow runs to gain permissions indirectly via the triggered workflow.
4+ #
5+ # For example: When an external party creates a PR via a fork, the CI workflow would run with a permissionless token to prevent a
6+ # malicious party to execute any code they want via the PR changes. If the triggered workflow uses a token with permissions,
7+ # the malicious code would then have access to this token anyways once the triggered workflow runs. Not using the token passed down
8+ # from the triggering workflow is comparable to just handing a token with near full permission to a malicious party. **ALWAYS**
9+ # use `${{ github.token }}` and limit permissions to the bare minimum required with the `permissions` section of a job.
10+ #
11+ name : Post-run Cleanup
12+
13+ on :
14+ workflow_run :
15+ workflows : [Continuous Integration, Release]
16+ types :
17+ - completed
18+
19+ jobs :
20+ delete-artifacts :
21+ runs-on : ubuntu-latest
22+ permissions :
23+ contents : read
24+ actions : write
25+ steps :
26+ - name : Delete Artifacts
27+ # https://github.com/wearefrank/ci-cd-templates/blob/main/delete-workflow-artifacts/README.md
28+ uses : wearefrank/ci-cd-templates/delete-workflow-artifacts@837393940996acef9b2620b3815a1dcf2a1d09e0 # v2.1.0
29+ with :
30+ token : ${{ github.token }}
31+ artifact-names : ' pre-build-*, build-*'
32+ workflow-run-id : ${{ github.event.workflow_run.id }}
You can’t perform that action at this time.
0 commit comments