ci(build-and-deploy): fix security warning (add permissions to workflow)

mikesprague · mikesprague · commit f6273f47b9ce · 2025-04-28T15:30:10.000-04:00
also adds missing env vars for latest model deployments
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -16,6 +16,9 @@ on:
       - "postcss.config.json"
       - "tsconfig.json"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -26,12 +29,13 @@ env:
   AZURE_WEBAPP_PACKAGE_PATH: "."
   AZURE_WEBAPP_PUBLISH_PROFILE: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
   AZURE_OPENAI_API_KEY: ${{ secrets.AZURE_OPENAI_API_KEY }}
+  AZURE_OPENAI_API_VERSION: ${{ secrets.AZURE_OPENAI_API_VERSION }}
   AZURE_OPENAI_DEPLOYMENT_NAME: ${{ secrets.AZURE_OPENAI_DEPLOYMENT_NAME }}
   AZURE_OPENAI_GPT4O_DEPLOYMENT: ${{ secrets.AZURE_OPENAI_GPT4O_DEPLOYMENT }}
   AZURE_OPENAI_GPT4O_MINI_DEPLOYMENT: ${{ secrets.AZURE_OPENAI_GPT4O_MINI_DEPLOYMENT }}
-  AZURE_OPENAI_GPT45_DEPLOYMENT: ${{ secrets.AZURE_OPENAI_GPT45_DEPLOYMENT }}
   AZURE_OPENAI_GPT41_DEPLOYMENT: ${{ secrets.AZURE_OPENAI_GPT41_DEPLOYMENT }}
-  AZURE_OPENAI_API_VERSION: ${{ secrets.AZURE_OPENAI_API_VERSION }}
+  AZURE_OPENAI_GPT41_MINI_DEPLOYMENT: ${{ secrets.AZURE_OPENAI_GPT41_MINI_DEPLOYMENT }}
+  AZURE_OPENAI_GPT41_NANO_DEPLOYMENT: ${{ secrets.AZURE_OPENAI_GPT41_NANO_DEPLOYMENT }}
   MS_TEAMS_WEBHOOK_URL: ${{ secrets.MS_TEAMS_WEBHOOK_URL }}
   APP_DISPLAY_NAME: "Cloud Team GPT4 Chat"
 
