Use explicit action permissions in CI

Disservin · vondele · commit 74a8fc060465 · 2024-07-05T15:35:13.000+02:00
Necessary modifications according to changes in the GitHub Action settings. closes #5437 Follow up from the report by Yaron Avital (yaronav) earlier. No functional change
diff --git a/.github/workflows/stockfish.yml b/.github/workflows/stockfish.yml
@@ -15,6 +15,8 @@ jobs:
   Prerelease:
     if: github.repository == 'official-stockfish/Stockfish' && (github.ref == 'refs/heads/master' || (startsWith(github.ref_name, 'sf_') && github.ref_type == 'tag'))
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # For deleting/creating a prerelease
     steps:
       - uses: actions/checkout@v4
         with:
@@ -104,9 +106,17 @@ jobs:
     uses: ./.github/workflows/upload_binaries.yml
     with:
       matrix: ${{ needs.Matrix.outputs.matrix }}
+    permissions:
+      contents: write # For deleting/creating a (pre)release
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
   ARM_Binaries:
     if: github.repository == 'official-stockfish/Stockfish'
     needs: [Matrix, Prerelease, ARMCompilation]
     uses: ./.github/workflows/upload_binaries.yml
     with:
       matrix: ${{ needs.Matrix.outputs.arm_matrix }}
+    permissions:
+      contents: write # For deleting/creating a (pre)release
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/upload_binaries.yml b/.github/workflows/upload_binaries.yml
@@ -5,6 +5,9 @@ on:
       matrix:
         type: string
         required: true
+    secrets:
+      token:
+        required: true
 
 jobs:
   Artifacts:
@@ -80,6 +83,7 @@ jobs:
         uses: softprops/action-gh-release@4634c16e79c963813287e889244c50009e7f0981
         with:
           files: stockfish-${{ matrix.config.simple_name }}-${{ matrix.binaries }}.${{ matrix.config.archive_ext }}
+          token: ${{ secrets.token }}
 
       - name: Get last commit sha
         id: last_commit
@@ -106,3 +110,4 @@ jobs:
           tag_name: stockfish-dev-${{ env.COMMIT_DATE }}-${{ env.COMMIT_SHA }}
           prerelease: true
           files: stockfish-${{ matrix.config.simple_name }}-${{ matrix.binaries }}.${{ matrix.config.archive_ext }}
+          token: ${{ secrets.token }}
