From f0bfa0d81d6d7ea49b5996b7ed8f53011533be36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mario=20Beltr=C3=A1n?= Date: Fri, 12 Dec 2025 10:49:59 +0100 Subject: [PATCH 1/2] ci: add read permission for contents --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 970bb07c..86462202 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,9 @@ on: pull_request: merge_group: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true From ac07ebb0351b5db26689923da73b7d82b321ed56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mario=20Beltr=C3=A1n?= Date: Fri, 12 Dec 2025 10:58:43 +0100 Subject: [PATCH 2/2] ci: forward secret to reusable workflow --- .github/workflows/ci.yml | 5 ++--- .github/workflows/release.yml | 1 - .github/workflows/verifications.yml | 3 +++ 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86462202..1a45f83e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,9 +4,6 @@ on: pull_request: merge_group: -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -15,6 +12,8 @@ jobs: verifications: name: Verifications uses: ./.github/workflows/verifications.yml + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} required-checks: name: Require CI status checks diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 44ddac62..5a7397f0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,7 +39,6 @@ jobs: with: cache: 'pnpm' node-version-file: '.nvmrc' - registry-url: 'https://registry.npmjs.org' # Ensure npm 11.5.1 or later is installed for correct OIDC publishing - name: Update npm diff --git a/.github/workflows/verifications.yml b/.github/workflows/verifications.yml index 57d556c1..c8d2df3d 100644 --- a/.github/workflows/verifications.yml +++ b/.github/workflows/verifications.yml @@ -2,6 +2,9 @@ name: Verifications on: workflow_call: + secrets: + CODECOV_TOKEN: + required: true jobs: code-validation: