Merge pull request #54 from netboxlabs/fix/remove-build-command

abubnalitic-nbl · abubnalitic-nbl · commit c5604c7f871b · 2025-10-29T17:20:48.000-04:00
fix: remove build_command from semantic-release config
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,11 @@
+# CODEOWNERS - Require review from maintainers for critical files
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Workflow files require review from maintainers (prevents bypass attacks)
+/.github/workflows/ @abubnalitic-nbl @ltucker
+
+# Release configuration requires review
+/pyproject.toml @abubnalitic-nbl @ltucker
+
+# Security-sensitive configuration
+/.github/CODEOWNERS @abubnalitic-nbl @ltucker
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,16 +1,24 @@
 name: Release
 
+# Global defaults - read-only (least privilege)
 permissions:
-  contents: write
-  issues: write
-  pull-requests: write
+  contents: read
+  issues: read
+  pull-requests: read
 
 on:
   workflow_dispatch:
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release  # Requires manual approval in GitHub settings
+
+    # Job-specific write permissions (least privilege)
+    permissions:
+      contents: write       # Push tags and CHANGELOG
+      issues: write        # Create release issues
+      pull-requests: write # Create release PRs
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/pyproject.toml b/pyproject.toml
@@ -31,7 +31,6 @@ version_toml = ["pyproject.toml:project.version"]
 version_variables = ["src/netbox_mcp_server/__init__.py:__version__"]
 branch = "main"
 upload_to_vcs_release = true
-build_command = "uv build"
 tag_format = "v{version}"
 
 [tool.semantic_release.commit_parser_options]
