fix(workflows/workflow): scope GH_TOKEN to steps using

This partly reverts the previous change as it avoids passing the secret to all steps and potentially leak it.
idiap · Nov 6, 2023 · b4d477a · b4d477a
1 parent 5c00161
commit b4d477a
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -129,28 +129,32 @@ jobs:
       contents: write # IMPORTANT: mandatory for making GitHub Releases
       id-token: write # IMPORTANT: mandatory for sigstore
 
-    env:
-      GH_TOKEN: ${{ github.token }}
-
     steps:
       - name: Download all the dists
         uses: actions/download-artifact@v3
         with:
           name: python-package-distributions
           path: dist/
+
       - name: Sign the dists with Sigstore
         uses: sigstore/[email protected]
         with:
           inputs: >-
             ./dist/*.tar.gz
             ./dist/*.whl
+
       - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: >-
           gh release create
           '${{ github.ref_name }}'
           --repo '${{ github.repository }}'
           --notes ""
+
       - name: Upload artifact signatures to GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
         # Upload to GitHub Release using the `gh` CLI.
         # `dist/` contains the built packages, and the
         # sigstore-produced signatures and certificates.