Declare write permissions only for jobs that require them #404

Summary
Jobs
- all
Run details
- Usage
- Workflow file

Workflow file for this run

	name: deploy

	on:
	push:
	branches:
	- main
	workflow_dispatch:

	concurrency:
	group: deploy
	cancel-in-progress: true

	jobs:
	all:
	runs-on: ubuntu-22.04
	env:
	SPHINXOPTS: --color
	steps:
	- name: Checkout repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 0 # clone full repo to get last-updated dates
	- name: Install apt packages
	run: >
	sudo apt-get install --no-install-recommends -y
	graphviz
	gettext
	latexmk
	texlive-luatex
	texlive-latex-extra
	texlive-fonts-recommended
	texlive-lang-french
	texlive-lang-english
	fonts-dejavu
	xindy
	imagemagick
	- name: Install TwemojiMozilla font
	run: \|
	wget -nv https://github.com/mozilla/twemoji-colr/releases/download/v0.6.0/TwemojiMozilla.ttf
	echo 'e52ebdb734105d3d634936b5ee436b2b91bed9c0200f0e9c84c7d663224610c7 TwemojiMozilla.ttf' \| sha256sum -c
	mkdir ~/.fonts
	mv TwemojiMozilla.ttf ~/.fonts/
	fc-cache
	- name: Patch dependencies
	run: make deps
	- name: Restore pip cache
	uses: actions/cache@v4
	with:
	path: ~/.cache/pip
	key: ${{ runner.os }}-pip-${{ hashFiles('.github/requirements.txt') }}
	restore-keys: \|
	${{ runner.os }}-pip-
	- name: Install pip packages
	run: pip install -r .github/requirements.txt
	- name: Restore LuaTex cache
	uses: actions/cache@v4
	with:
	path: ~/.texlive2021
	key: ${{ runner.os }}-texlive2021-${{ hashFiles('.github/workflows/deploy.yml') }}
	restore-keys: \|
	${{ runner.os }}-texlive2021-
	- name: Make all
	run: make all
	- name: Install RSA key
	if: ${{ github.event_name != 'pull_request' }}
	env:
	SSH_AUTH_SOCK: /tmp/ssh_agent.sock
	run: \|
	mkdir $HOME/.ssh
	chmod 700 $HOME/.ssh
	echo "${{ secrets.RSA_KEY }}" > $HOME/.ssh/id_rsa
	chmod 600 $HOME/.ssh/id_rsa
	echo "club1.fr ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBC64tjZ1WjxMMoGeWiipApfCAaQe1sP/YFoNWYtckXV7XfFFKsBf70SHUw/oPjVZ1sdwcIL8wsH8Q00oYMIv7M=" > $HOME/.ssh/known_hosts
	ssh-agent -a $SSH_AUTH_SOCK > /dev/null
	ssh-add $HOME/.ssh/id_rsa
	- name: Publish
	if: ${{ github.event_name != 'pull_request' }}
	env:
	SSH_AUTH_SOCK: /tmp/ssh_agent.sock
	run: make publish USER=docs

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Declare write permissions only for jobs that require them #404

Workflow file

Declare write permissions only for jobs that require them #404

Jobs

Run details

Workflow file for this run