add permissions and secure env vars

hoeg · Jan 12, 2024 · 25cb288 · 25cb288
1 parent 2267cce
commit 25cb288
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,6 @@
 name: Build and Push Docker Image on Release
 
+permissions: write-all
 on:
   release:
     types:
@@ -19,13 +20,17 @@ jobs:
         go-version: 1.21
 
     - name: Prepare Image name
+      env: 
+        OWNER: ${{ github.repository_owner }}
       run: |
-        echo "DOCKER_IMAGE=ghcr.io/${{ github.repository_owner }}/kandji-prometheus-exporter" >> $GITHUB_ENV
+        echo "DOCKER_IMAGE=ghcr.io/$OWNER/kandji-prometheus-exporter" >> $GITHUB_ENV
 
     - name: Build Docker image
+      env:   
+        TAG_NAME: ${{ github.event.release.tag_name }} 
       run: |
-        docker build -t $DOCKER_IMAGE:${{ github.event.release.tag_name }} .
-        docker tag $DOCKER_IMAGE:${{ github.event.release.tag_name }} $DOCKER_IMAGE:latest
+        docker build -t $DOCKER_IMAGE:$TAG_NAME .
+        docker tag $DOCKER_IMAGE:$TAG_NAME $DOCKER_IMAGE:latest
 
     - name: Log in to GitHub Container Registry
       uses: docker/login-action@v1
@@ -35,6 +40,8 @@ jobs:
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Push Docker image
+      env:
+        TAG_NAME: ${{ github.event.release.tag_name }} 
       run: |
-        docker push $DOCKER_IMAGE:${{ github.event.release.tag_name }}
+        docker push $DOCKER_IMAGE:$TAG_NAME
         docker push $DOCKER_IMAGE:latest