prebid · Net-burst · Jan 16, 2026 · Jan 15, 2026 · Jan 15, 2026 · Jan 15, 2026
diff --git a/.github/workflows/code-path-changes.yml b/.github/workflows/code-path-changes.yml
@@ -2,10 +2,13 @@ name: Notify Code Path Changes
 
 on:
   pull_request_target:
-    types: [opened, synchronize]
+    types: [ opened, synchronize ]
     paths:
       - '**'
 
+permissions:
+  contents: read
+
 env:
   OAUTH2_CLIENT_ID: ${{ secrets.OAUTH2_CLIENT_ID }}
   OAUTH2_CLIENT_SECRET: ${{ secrets.OAUTH2_CLIENT_SECRET }}
@@ -14,18 +17,15 @@ env:
   GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-permissions:
-  contents: read
-
 jobs:
   notify:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: '18'
 

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,48 +1,60 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
-  push:
-    branches: [ "master" ]
   pull_request:
-    branches: [ "master" ]
+    branches: [ 'master' ]
+  schedule:
+    - cron: '0 3 * * 1'
+
+permissions:
+  security-events: write
+  packages: read
+  actions: read
+  contents: read
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'java' ]
+        include:
+          - language: actions
+            build-mode: none
+          - language: java-kotlin
+            build-mode: manual
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    - name: Set up JDK
-      uses: actions/setup-java@v3
-      with:
-        distribution: 'temurin'
-        java-version: 21
-
-    - name: Cache Maven packages
-      uses: actions/cache@v3
-      with:
-        path: ~/.m2/repository
-        key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-        restore-keys: |
-          ${{ runner.os }}-maven-
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-
-    - name: Build with Maven
-      run: mvn -B package --file extra/pom.xml
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
-      with:
-        category: "/language:${{ matrix.language }}"
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: 21
+
+      - name: Cache Maven packages
+        uses: actions/cache@v5
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Build with Maven
+        if: matrix.build-mode == 'manual'
+        run: mvn -B package --file extra/pom.xml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: '/language:${{ matrix.language }}'
diff --git a/.github/workflows/cross-repo-issue.yml b/.github/workflows/cross-repo-issue.yml
@@ -2,17 +2,20 @@ name: Cross-repo Issue Creation
 
 on:
   pull_request_target:
-    types: [closed]
+    types: [ closed ]
     branches:
-      - "master"
+      - 'master'
+
+permissions:
+  contents: read
 
 jobs:
   cross-repo:
     runs-on: ubuntu-latest
     steps:
       - name: Generate token
         id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@v2.1.0
         with:
           app_id: ${{ secrets.XREPO_APP_ID }}
           private_key: ${{ secrets.XREPO_PEM }}

diff --git a/.github/workflows/docker-image-publish.yml b/.github/workflows/docker-image-publish.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: read
+  packages: write
+
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
@@ -13,13 +17,10 @@ jobs:
   build:
     name: Publish Docker image for new tag/release
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     strategy:
       matrix:
         java: [ 21 ]
-        dockerfile-path: [Dockerfile, Dockerfile-modules]
+        dockerfile-path: [ Dockerfile, Dockerfile-modules ]
         include:
           - dockerfile-path: Dockerfile
             build-cmd: mvn clean package -Dcheckstyle.skip -Dmaven.test.skip=true
@@ -30,10 +31,10 @@ jobs:
             package-name: ghcr.io/${{ github.repository }}-bundle
     steps:
       - name: Check out Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           cache: 'maven'
@@ -56,13 +57,13 @@ jobs:
           images: ${{ matrix.package-name }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ${{ matrix.dockerfile-path }}

diff --git a/.github/workflows/issue_prioritization.yml b/.github/workflows/issue_prioritization.yml
@@ -1,9 +1,11 @@
 name: Issue tracking
+
 on:
   issues:
     types:
       - opened
       - pinned
+
 jobs:
   track_issue:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/pr-functional-tests.yml b/.github/workflows/pr-functional-tests.yml
@@ -11,6 +11,11 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+  actions: read
+  checks: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -20,10 +25,10 @@ jobs:
         java: [ 21 ]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           cache: 'maven'
@@ -42,7 +47,7 @@ jobs:
 
       - name: Emitting run result of functional test
         if: always()
-        uses: dorny/test-reporter@v2.1.1
+        uses: dorny/test-reporter@v2.5.0
         with:
           name: 'Functional tests'
           working-directory: 'target/failsafe-reports'

diff --git a/.github/workflows/pr-java-ci.yml b/.github/workflows/pr-java-ci.yml
@@ -11,6 +11,11 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+  actions: read
+  checks: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -20,10 +25,10 @@ jobs:
         java: [ 21 ]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           cache: 'maven'
@@ -32,12 +37,3 @@ jobs:
 
       - name: Build with Maven
         run: mvn -B package --file extra/pom.xml
-
-      - name: Publish JUnit Report
-        uses: mikepenz/action-junit-report@v5
-        if: always()
-        with:
-          check_name: 'JUnit Test Report'
-          report_paths: '**/target/surefire-reports/TEST-*.xml'
-          fail_on_failure: true
-          annotate_only: true
diff --git a/.github/workflows/pr-module-functional-tests.yml b/.github/workflows/pr-module-functional-tests.yml
@@ -11,6 +11,11 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+  actions: read
+  checks: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -20,10 +25,10 @@ jobs:
         java: [ 21 ]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           cache: 'maven'
@@ -46,7 +51,7 @@ jobs:
 
       - name: Emitting run result of functional test
         if: always()
-        uses: dorny/test-reporter@v2.1.1
+        uses: dorny/test-reporter@v2.5.0
         with:
           name: 'Module functional tests'
           working-directory: 'target/failsafe-reports'

diff --git a/.github/workflows/release-asset-publish.yml b/.github/workflows/release-asset-publish.yml
@@ -2,7 +2,7 @@ name: Publish release .jar
 
 on:
   workflow_run:
-    workflows: [Publish release]
+    workflows: [ Publish release ]
     types:
       - completed
 
@@ -14,9 +14,9 @@ jobs:
       matrix:
         java: [ 21 ]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           cache: 'maven'

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -5,17 +5,22 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
     name: Publish release with notes
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Create and publish release
-        uses: release-drafter/release-drafter@v5
+        uses: release-drafter/release-drafter@v6
         with:
           config-name: release-drafter-config.yml
           publish: true
-          name: "v${{ github.ref_name }}"
+          name: 'v${{ github.ref_name }}'
           tag: ${{ github.ref_name }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}