diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e32148c06f..6446197e42 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -102,22 +102,6 @@ jobs: signer_docker_tag: ${{ needs.check-release.outputs.signer_docker_tag }} is_node_release: ${{ needs.check-release.outputs.is_node_release }} is_signer_release: ${{ needs.check-release.outputs.is_signer_release }} - secrets: inherit - - ## Build and push Debian image built from source - ## - ## Runs when: - ## - it is not a node or signer-only release run - docker-image: - if: | - needs.check-release.outputs.is_node_release != 'true' || - needs.check-release.outputs.is_signer_release != 'true' - name: Docker Image (Source) - uses: ./.github/workflows/image-build-source.yml - needs: - - rustfmt - - check-release - secrets: inherit ## Create a reusable cache for tests ## diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index 75155649b6..104f29281b 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -29,9 +29,6 @@ on: description: "True if it is a signer release" required: true type: string - secrets: - GH_TOKEN: - required: true concurrency: group: github-release-${{ github.head_ref || github.ref }} @@ -95,6 +92,8 @@ jobs: runs-on: ubuntu-latest needs: - build-binaries + permissions: + contents: write steps: ## Creates releases - name: Create Release @@ -106,7 +105,7 @@ jobs: signer_docker_tag: ${{ inputs.signer_docker_tag }} is_node_release: ${{ inputs.is_node_release }} is_signer_release: ${{ inputs.is_signer_release }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} ## Builds arch dependent Docker images from binaries @@ -156,9 +155,11 @@ jobs: - build-binaries - create-release - docker-image + permissions: + pull-requests: write steps: - name: Open Downstream PR id: create-pr uses: stacks-network/actions/stacks-core/release/downstream-pr@main with: - token: ${{ secrets.GH_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }}