From 65d231dfcb35a4b4b446cd2a66ff0fdc7289d166 Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Sat, 14 Feb 2026 14:24:13 +0000 Subject: [PATCH 1/3] chore: update global workflows --- .github/workflows/_codeql.yml | 11 ++++++----- .github/workflows/_common-lint.yml | 5 +++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml index 15c5a6f..5569a2e 100644 --- a/.github/workflows/_codeql.yml +++ b/.github/workflows/_codeql.yml @@ -4,16 +4,13 @@ # the above-mentioned repo. name: CodeQL -permissions: - actions: read - contents: read - security-events: write +permissions: {} on: + pull_request: push: branches: - master - pull_request: schedule: - cron: '00 12 * * 0' # every Sunday at 12:00 UTC @@ -26,3 +23,7 @@ jobs: name: CodeQL uses: LizardByte/.github/.github/workflows/__call-codeql.yml@master if: ${{ github.repository != 'LizardByte/.github' }} + permissions: + actions: read + contents: read + security-events: write diff --git a/.github/workflows/_common-lint.yml b/.github/workflows/_common-lint.yml index 80be0cc..e7760cb 100644 --- a/.github/workflows/_common-lint.yml +++ b/.github/workflows/_common-lint.yml @@ -4,8 +4,7 @@ # the above-mentioned repo. name: common lint -permissions: - contents: read +permissions: {} on: pull_request: @@ -19,3 +18,5 @@ jobs: name: Common Lint uses: LizardByte/.github/.github/workflows/__call-common-lint.yml@master if: ${{ github.repository != 'LizardByte/.github' }} + permissions: + contents: read From 95ad731fb39e1020b6d4780fc68e949eb5696bce Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Sat, 14 Feb 2026 14:26:40 +0000 Subject: [PATCH 2/3] chore: update global workflows --- .github/workflows/_update-docs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/_update-docs.yml b/.github/workflows/_update-docs.yml index 6dd66c5..863f92d 100644 --- a/.github/workflows/_update-docs.yml +++ b/.github/workflows/_update-docs.yml @@ -28,6 +28,7 @@ jobs: name: Update docs uses: LizardByte/.github/.github/workflows/__call-update-docs.yml@master if: github.repository_owner == 'LizardByte' + permissions: {} with: readthedocs_slug: ${{ vars.READTHEDOCS_SLUG }} secrets: From bc5119b02797df5840733d0bf872baa236493191 Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Sat, 14 Feb 2026 14:27:33 +0000 Subject: [PATCH 3/3] chore: update global workflows --- .github/workflows/_ci-node.yml | 7 ++++--- .github/workflows/_update-npm.yml | 9 +++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/_ci-node.yml b/.github/workflows/_ci-node.yml index 0e0d0cc..d1cc10b 100644 --- a/.github/workflows/_ci-node.yml +++ b/.github/workflows/_ci-node.yml @@ -8,14 +8,13 @@ # This will run standard CI for Node.js/npm/TypeScript projects. name: CI-Node -permissions: - contents: write # required for release_setup action +permissions: {} on: + pull_request: push: branches: - master - pull_request: concurrency: group: "${{ github.workflow }}-${{ github.ref }}" @@ -26,6 +25,8 @@ jobs: name: CI-Node uses: LizardByte/.github/.github/workflows/__call-ci-node.yml@master if: ${{ github.repository != 'LizardByte/.github' }} + permissions: + contents: write # required for release_setup action secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }} diff --git a/.github/workflows/_update-npm.yml b/.github/workflows/_update-npm.yml index 3047c0a..df4e212 100644 --- a/.github/workflows/_update-npm.yml +++ b/.github/workflows/_update-npm.yml @@ -8,10 +8,7 @@ # Update NPM packages on release events. name: Update NPM -permissions: - contents: read - id-token: write # required for provenance and OIDC - packages: write +permissions: {} on: release: @@ -27,5 +24,9 @@ jobs: name: Update NPM uses: LizardByte/.github/.github/workflows/__call-update-npm.yml@master if: github.repository_owner == 'LizardByte' + permissions: + contents: read + id-token: write # required for provenance and OIDC + packages: write with: release_version: ${{ github.event.release.tag_name }}