diff --git a/.github/workflows/build-lint-test.yaml b/.github/workflows/build-lint-test.yaml index 0e347c1..8bbf792 100644 --- a/.github/workflows/build-lint-test.yaml +++ b/.github/workflows/build-lint-test.yaml @@ -2,6 +2,10 @@ name: Build, Lint, and Test Project +# Required permission on the caller workflow +# permissions: +# contents: read + on: workflow_call: inputs: @@ -11,9 +15,6 @@ on: default: 'lts/*' type: string -permissions: - contents: read - jobs: main: name: Build, Lint, and Test Project @@ -26,7 +27,7 @@ jobs: - name: 🔧 Setup Node.js uses: actions/setup-node@v4 with: - node-version: ${{ inputs.NODE_VERSION }} + node-version: ${{ inputs.node-version }} - name: 🛠️ Setup Node.js Corepack run: corepack enable diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 1c6bbec..efa6f2e 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -2,14 +2,15 @@ name: CodeQL +# Required permission on the caller workflow +# permissions: +# actions: read +# contents: read +# security-events: write + on: workflow_call: -permissions: - actions: read - contents: read - security-events: write - jobs: main: name: CodeQL Analyze diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 2cfe0ad..f1f19dd 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -2,6 +2,10 @@ name: Dependency Review +# Required permission on the caller workflow +# permissions: +# contents: read + on: workflow_call: inputs: @@ -16,9 +20,6 @@ on: type: string default: 'next' -permissions: - contents: read - jobs: main: name: Dependency Review diff --git a/.github/workflows/publish-npm.yaml b/.github/workflows/publish-npm.yaml index ba02ba5..596fc89 100644 --- a/.github/workflows/publish-npm.yaml +++ b/.github/workflows/publish-npm.yaml @@ -2,6 +2,11 @@ name: Publish NPM +# Required permission on the caller workflow +# permissions: +# contents: read +# id-token: write + on: workflow_call: inputs: @@ -20,10 +25,6 @@ on: required: true description: 'NPM token' -permissions: - contents: read - id-token: write - jobs: main: if: github.repository_owner == 'the-nexim' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ce2cd81..a06bc0b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,6 +2,10 @@ name: Build & Lint & Test & Release +# Required permission on the caller workflow +# permissions: +# contents: write + on: workflow_call: inputs: @@ -14,16 +18,10 @@ on: GPG_KEY_ID: required: true description: 'GPG key ID' - BOT_TOKEN: - required: true - description: 'Nexim Bot token' GPG_PRIVATE_KEY: required: true description: 'GPG private key' -permissions: - contents: write - jobs: main: name: Build & Lint & Test & Release @@ -34,7 +32,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - token: ${{ secrets.BOT_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: 🙂‍↔️ Import GPG key run: | @@ -94,5 +92,5 @@ jobs: - name: 🤖 Get Release run: yarn lerna version --yes env: - GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} WIREIT_LOGGER: metrics diff --git a/.github/workflows/sync-label.yaml b/.github/workflows/sync-label.yaml index d3df0f4..2019ffa 100644 --- a/.github/workflows/sync-label.yaml +++ b/.github/workflows/sync-label.yaml @@ -1,11 +1,13 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Sync labels + +# Required permission on the caller workflow +# permissions: +# contents: read +# issues: write + on: workflow_call: - secrets: - GITHUB_TOKEN: - description: 'GitHub token' - required: true jobs: main: