security: scope reusable-workflow secrets (least privilege) over secrets: inherit #9
@@ -80,7 +80,11 @@ jobs:
|
||||
env:
|
||||
# --- event context (from the CALLER's github.*) -------------------
|
||||
GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}
|
||||
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
|
||||
# github.token is the auto job token from the github CONTEXT (not a
|
||||
# secret), so it's present even without `secrets: inherit`. Using
|
||||
# secrets.GITEA_TOKEN here would be empty under explicit secret
|
||||
# forwarding, since the auto token isn't a forwarded workflow_call secret.
|
||||
GITEA_TOKEN: ${{ github.token }}
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
PR: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
|
||||
PR_BRANCH: ${{ github.head_ref }}
|
||||
|
||||
Reference in New Issue
Block a user