31 lines
756 B
YAML
31 lines
756 B
YAML
name: CI (Release)
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v[0-9]*'
|
|
|
|
# Tags must never be cancelled — each is a public release
|
|
concurrency:
|
|
group: ci-release-${{ github.ref_name }}
|
|
cancel-in-progress: false
|
|
|
|
# Workflow-level permissions set the ceiling for the reusable ci.yml.
|
|
# id-token is never in the default token, so it must be granted explicitly
|
|
# here — otherwise the ci: job's `permissions:` block exceeds the caller
|
|
# workflow's permissions and GitHub rejects the run with startup_failure.
|
|
permissions:
|
|
actions: read
|
|
contents: write
|
|
packages: write
|
|
id-token: write
|
|
|
|
jobs:
|
|
ci:
|
|
uses: ./.github/workflows/ci.yml
|
|
secrets: inherit
|
|
permissions:
|
|
actions: read
|
|
contents: write
|
|
packages: write
|
|
id-token: write
|