Build without write permissions

[lazka]

This would be a large change. To avoid package builds gaining write permissions to the GH assets we currently clean out the env, so they can't get to the token easily (

msys2-autobuild/msys2_autobuild/build.py

Lines 97 to 108 in 1ed7c15

	def clean_environ(environ: Dict[str, str]) -> Dict[str, str]:
	"""Returns an environment without any CI related variables.
	This is to avoid leaking secrets to package build scripts we call.
	While in theory we trust them this can't hurt.
	"""
	new_env = environ.copy()
	for key in list(new_env):
	if key.startswith(("GITHUB_", "RUNNER_")):
	del new_env[key]
	return new_env

). But that's not bullet proof.

Ideally we would separate the third party code into an environment that doesn't have write permissions.

[lazka]

In theory https://github.com/actions/toolkit/tree/main/packages/artifact#v2---whats-new would allow us to upload packages for the job without write permissions, and other jobs could iterate all other active jobs in addition to the assets. From what I see we would need to shell out to JS though to upload artifacts though, as the API isn't publicly documented.

[lazka]

Another option would be to:

• keep built files locally
• upload as job artifact at the end
• have one more job in the end that only uploads to assets

Downside being it would build various things twice potentially