Skip to content

Add security improvements: restrict cache writes and scope permissions #21

Add security improvements: restrict cache writes and scope permissions

Add security improvements: restrict cache writes and scope permissions #21

Workflow file for this run

name: CI
on:
push:
pull_request:
merge_group:
permissions:
contents: read
jobs:
build:
name: Build project
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Setup elan
run: |
curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh -s -- -y --default-toolchain none
echo "$HOME/.elan/bin" >> "$GITHUB_PATH"
- name: Restore cache
id: cache-restore
uses: actions/cache/restore@v5
with:
path: .lake
key: lake-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('lean-toolchain') }}-${{ hashFiles('lake-manifest.json') }}-${{ github.sha }}
restore-keys: |
lake-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('lean-toolchain') }}-${{ hashFiles('lake-manifest.json') }}
- name: Get Mathlib cache
run: lake exe cache get
# Build Catalogue
- name: Download JuliaMono
run: |
wget https://github.com/cormullion/juliamono/releases/download/v0.061/JuliaMono-webfonts.tar.gz
mkdir juliamono
tar -xvf JuliaMono-webfonts.tar.gz -C juliamono --strip-components 1
rm JuliaMono-webfonts.tar.gz
working-directory: ./assets
- name: Build Catalogue
run: lake exe catalogue
- name: Save project cache
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
uses: actions/cache/save@v5
with:
path: .lake
key: ${{ steps.cache-restore.outputs.cache-primary-key }}
# Upload pages artifact
- uses: actions/upload-pages-artifact@v4
with:
path: _out/html-multi
deploy:
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
permissions:
contents: read
pages: write
id-token: write
steps:
- id: deployment
uses: actions/deploy-pages@v4