]> jfr.im git - yt-dlp.git/blobdiff - .github/workflows/build.yml
projects / yt-dlp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[build, test] Harden workflows' security (#5410)
[yt-dlp.git] / .github / workflows / build.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index efacecd3c9b146e354c71ae36eef1fe1fda2b56a..12e5426b14f60ccea47499ea5427839febdfcbe2 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,8 +1,12 @@
 name: Build
 on: workflow_dispatch
+permissions:
+  contents: read
 
 jobs:
   prepare:
+    permissions:
+      contents: write  # for push_release
     runs-on: ubuntu-latest
     outputs:
       version_suffix: ${{ steps.version_suffix.outputs.version_suffix }}
@@ -21,7 +25,7 @@ jobs:
       env:
         PUSH_VERSION_COMMIT: ${{ secrets.PUSH_VERSION_COMMIT }}
       if: "env.PUSH_VERSION_COMMIT == ''"
-      run: echo ::set-output name=version_suffix::$(date -u +"%H%M%S")
+      run: echo "version_suffix=$(date -u +"%H%M%S")" >> "$GITHUB_OUTPUT"
     - name: Bump version
       id: bump_version
       run: |
@@ -36,7 +40,7 @@ jobs:
         git add -u
         git commit -m "[version] update" -m "Created by: ${{ github.event.sender.login }}" -m ":ci skip all :ci run dl"
         git push origin --force ${{ github.event.ref }}:release
-        echo ::set-output name=head_sha::$(git rev-parse HEAD)
+        echo "head_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
     - name: Update master
       env:
         PUSH_VERSION_COMMIT: ${{ secrets.PUSH_VERSION_COMMIT }}
@@ -69,9 +73,6 @@ jobs:
           python pyinst.py --onedir
           (cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .)
           python pyinst.py
-    - name: Get SHA2-SUMS
-      id: get_sha
-      run: |
 
     - name: Upload artifacts
       uses: actions/upload-artifact@v3
@@ -193,8 +194,8 @@ jobs:
           python-version: '3.8'
     - name: Install Requirements
       run: |  # Custom pyinstaller built with https://github.com/yt-dlp/pyinstaller-builds
-          python -m pip install --upgrade pip setuptools wheel py2exe
-          pip install "https://yt-dlp.github.io/Pyinstaller-Builds/x86_64/pyinstaller-5.2-py3-none-any.whl" -r requirements.txt
+          python -m pip install --upgrade pip setuptools wheel "py2exe<0.12"
+          pip install "https://yt-dlp.github.io/Pyinstaller-Builds/x86_64/pyinstaller-5.3-py3-none-any.whl" -r requirements.txt
 
     - name: Prepare
       run: |
@@ -230,7 +231,7 @@ jobs:
     - name: Install Requirements
       run: |
           python -m pip install --upgrade pip setuptools wheel
-          pip install "https://yt-dlp.github.io/Pyinstaller-Builds/i686/pyinstaller-5.2-py3-none-any.whl" -r requirements.txt
+          pip install "https://yt-dlp.github.io/Pyinstaller-Builds/i686/pyinstaller-5.3-py3-none-any.whl" -r requirements.txt
 
     - name: Prepare
       run: |
@@ -248,6 +249,8 @@ jobs:
 
 
   publish_release:
+    permissions:
+      contents: write  # for action-gh-release
     runs-on: ubuntu-latest
     needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy]
 
fork of https://github.com/yt-dlp/yt-dlp/