BUG - Update release workflow permissions (#2162)

trallard · web-flow · commit 1191f8d01fcc · 2025-03-12T11:56:00.000-05:00
This is a follow-up to #2077. This PR fixes action permissions to call reusable workflows in our release workflow. I also pinned the SHA for a workflow I missed in a previous review.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -194,8 +194,13 @@ jobs:
   # Calling the coverage-comment action from the main CI workflow
   # we might want to pin the SHA once merged
   coverage-comment:
-    uses: ./.github/workflows/coverage.yml
+    # Important: make sure to update the SHA after making any changes to the coverage workflow
+    uses: pydata/pydata-sphinx-theme/.github/workflows/coverage.yml@4a1e7898d6c92dade5e489684277ab4ffd0eb053
     needs: [coverage]
+    # ensures this runs even if the coverage step does not continue - e.g. the
+    # default coverage action will fail at first for external PRs, this is a workaround
+    # to ensure the comment is posted
+    if: ${{ always() }}
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -20,19 +20,26 @@ jobs:
   tests:
     # Important: make sure to update the SHA after making any changes to the CI workflow
     uses: pydata/pydata-sphinx-theme/.github/workflows/CI.yml@4a1e7898d6c92dade5e489684277ab4ffd0eb053
+    # only run this workflow for pydata owned repositories (avoid forks)
+    if: github.repository_owner == 'pydata'
     # needed for the coverage action
     permissions:
       contents: write
       pull-requests: write
+      actions: read
       # calls our docs workflow (build docs, check broken links, lighthouse)
   docs:
     # Important: make sure to update the SHA after making any changes to the docs workflow
     uses: pydata/pydata-sphinx-theme/.github/workflows/docs.yml@4a1e7898d6c92dade5e489684277ab4ffd0eb053
+    # only run this workflow for pydata owned repositories (avoid forks)
+    if: github.repository_owner == 'pydata'
 
   build-package:
     name: "Build & verify PST package"
     # require tests and docs to pass before building the package
     needs: [tests, docs]
+    # only run this workflow for pydata owned repositories (avoid forks)
+    if: github.repository_owner == 'pydata'
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout repository 🛎"
@@ -69,6 +76,8 @@ jobs:
   release-PST:
     runs-on: ubuntu-latest
     needs: [build-package]
+    # only run this workflow for pydata owned repositories (avoid forks)
+    if: github.repository_owner == 'pydata'
     permissions:
       id-token: write # needed for PyPI upload
     environment:
