fix: CI permissions

soedirgo · soedirgo · commit b4e388a9a1ee · 2023-01-13T17:27:23.000+08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,12 +10,6 @@ jobs:
   semantic-release:
     name: Release
     runs-on: ubuntu-20.04
-    permissions:
-      id-token: write # This is required for requesting the JWT from AWS
-      # These required for @semantic-release/github
-      contents: write
-      issues: write
-      pull-requests: write
     outputs:
       new-release-published: ${{ steps.semantic-release.outputs.new_release_published }}
       new-release-version: ${{ steps.semantic-release.outputs.new_release_version }}
@@ -26,12 +20,6 @@ jobs:
         with:
           node-version: '16'
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
-          aws-region: us-east-1
-
       - run: |
           npm clean-install
           npm run build
@@ -80,6 +68,7 @@ jobs:
     if: needs.semantic-release.outputs.new-release-published == 'true'
     runs-on: ubuntu-latest
     permissions:
+      id-token: write # This is required for requesting the JWT from AWS
       contents: read
       packages: write
     steps:
@@ -109,6 +98,12 @@ jobs:
         with:
           registry: public.ecr.aws
 
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: us-east-1
+
       - name: Login to GHCR
         uses: docker/login-action@v2
         with:
