ci: granular token permissions

Author: ahmadnassri

.github/workflows/push.yml

@@ -11,6 +11,8 @@ name: push
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
 
+permissions: read-all
+
 jobs:
   metadata:
     runs-on: ubuntu-latest
@@ -79,6 +81,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      packages: write
+
     outputs:
       published: ${{ steps.release.outputs.published }}
       version: ${{ steps.release.outputs.release-version }}
@@ -110,6 +116,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - uses: actions/[email protected]
       - uses: docker/setup-qemu-action@v2
@@ -120,7 +130,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       # publish
       - uses: docker/build-push-action@v3
@@ -147,6 +157,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      packages: write
+
     strategy:
       matrix:
         release: [ "v${{ needs.release.outputs.version }}" ]

action.yml

@@ -20,4 +20,4 @@ inputs:
 
 runs:
   using: docker
-  image: docker://ghcr.io/ahmadnassri/action-workflow-queue:v1
+  image: docker://ghcr.io/ahmadnassri/action-workflow-queue:1.0.0