security: scope reusable-workflow secrets (least privilege) over secrets: inherit #9

Merged
steve merged 3 commits from sec/scope-secrets into main 2026-06-28 01:17:16 +00:00
Showing only changes of commit 18de9b8ebc - Show all commits
+5 -1
View File
@@ -80,7 +80,11 @@ jobs:
env:
# --- event context (from the CALLER's github.*) -------------------
GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
# github.token is the auto job token from the github CONTEXT (not a
# secret), so it's present even without `secrets: inherit`. Using
# secrets.GITEA_TOKEN here would be empty under explicit secret
# forwarding, since the auto token isn't a forwarded workflow_call secret.
GITEA_TOKEN: ${{ github.token }}
EVENT_NAME: ${{ github.event_name }}
PR: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
PR_BRANCH: ${{ github.head_ref }}