Reduce permissions for github action workflow, and prevent accidentally committing credentials to release artifact.

TheLinuxGuy · Capirca Team · commit cf94d1d0fba0 · 2025-02-25T12:07:15.000-08:00
PiperOrigin-RevId: 730978360
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,3 @@
+**/.git
+.git
+gha-creds-*.json
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -1,5 +1,9 @@
 name: Docker Publish
 
+permissions:
+      packages: write
+      contents: read
+
 on:
   push:
     branches:
diff --git a/.gitignore b/.gitignore
@@ -5,6 +5,8 @@ def/AUTOGEN.net
 tests/characterization_data/filters_actual
 tools/new_lint_errors.txt
 
+# Exclude secrets
+gha-creds-*.json
 
 # Recommended python excludes
 # Byte-compiled / optimized / DLL files
