diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index a3ae7257..85282bdf 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -8,6 +8,9 @@ on: # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1 - cron: "0 8 * * 1" +permissions: + contents: read + jobs: audit: name: Audit Dependencies diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 5b2d8c03..d8d81a41 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -18,6 +18,10 @@ on: required: true type: string +permissions: + contents: read + checks: write + jobs: lint-all: name: Lint All diff --git a/.github/workflows/ci-test-workspace.yml b/.github/workflows/ci-test-workspace.yml index 585d888e..4f072a81 100644 --- a/.github/workflows/ci-test-workspace.yml +++ b/.github/workflows/ci-test-workspace.yml @@ -16,6 +16,9 @@ on: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 - cron: "0 9 * * 1" +permissions: + contents: read + jobs: lint: name: Lint diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3873d0b9..7122bbe1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,9 @@ on: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 - cron: "0 9 * * 1" +permissions: + contents: read + jobs: lint: name: Lint diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 15c8efee..af848e17 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,6 +13,9 @@ on: # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1 - cron: "0 10 * * 1" +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 7dbdfd41..c69932da 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -10,6 +10,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: commitlint: name: Lint Commits diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml index 130578e6..9ca9a2b8 100644 --- a/.github/workflows/release-integration.yml +++ b/.github/workflows/release-integration.yml @@ -19,6 +19,10 @@ on: PUBLISH_TOKEN: required: true +permissions: + contents: read + id-token: write + jobs: publish: name: Publish diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e9842179..0b0dc8d3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -244,6 +244,7 @@ jobs: if: needs.release.outputs.releases uses: ./.github/workflows/release-integration.yml permissions: + contents: read id-token: write secrets: PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }} diff --git a/.release-please-manifest.json b/.release-please-manifest.json index f33e27ab..52d941c8 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "4.24.1" + ".": "4.24.2" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 634fe0c9..bbedcda2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## [4.24.2](https://github.com/npm/template-oss/compare/v4.24.1...v4.24.2) (2025-03-05) +### Bug Fixes +* [`fa962c3`](https://github.com/npm/template-oss/commit/fa962c3b6761ee48ee9a10e7f6252f81f6605f4f) [#506](https://github.com/npm/template-oss/pull/506) propagate content read for release integration (#506) (@reggi) +* [`1cb710e`](https://github.com/npm/template-oss/commit/1cb710e2770047fe60f3930faca66881a1a81196) [#505](https://github.com/npm/template-oss/pull/505) adds permissions to all workflows (#505) (@reggi) + ## [4.24.1](https://github.com/npm/template-oss/compare/v4.24.0...v4.24.1) (2025-02-04) ### Bug Fixes * [`4f871ab`](https://github.com/npm/template-oss/commit/4f871ab853b41d745cfd6078f3bbe1855f5750e7) [#503](https://github.com/npm/template-oss/pull/503) tap exclude (#503) (@reggi) diff --git a/lib/content/audit-yml.hbs b/lib/content/audit-yml.hbs index 07794faa..cabf4a28 100644 --- a/lib/content/audit-yml.hbs +++ b/lib/content/audit-yml.hbs @@ -6,6 +6,9 @@ on: # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1 - cron: "0 8 * * 1" +permissions: + contents: read + jobs: audit: {{> jobYml jobName="Audit Dependencies" jobDepFlags="--package-lock" }} diff --git a/lib/content/ci-release-yml.hbs b/lib/content/ci-release-yml.hbs index 88aee56f..676109be 100644 --- a/lib/content/ci-release-yml.hbs +++ b/lib/content/ci-release-yml.hbs @@ -17,6 +17,10 @@ on: required: true type: string +permissions: + contents: read + checks: write + jobs: lint-all: {{> jobYml diff --git a/lib/content/ci-yml.hbs b/lib/content/ci-yml.hbs index ebb6d917..f1ac58d2 100644 --- a/lib/content/ci-yml.hbs +++ b/lib/content/ci-yml.hbs @@ -3,6 +3,9 @@ name: CI {{~#if isWorkspace}} - {{ pkgName }}{{/if}} on: {{> onCiYml }} +permissions: + contents: read + jobs: lint: {{> jobYml jobName="Lint" }} diff --git a/lib/content/codeql-analysis-yml.hbs b/lib/content/codeql-analysis-yml.hbs index cf7601cc..760c5199 100644 --- a/lib/content/codeql-analysis-yml.hbs +++ b/lib/content/codeql-analysis-yml.hbs @@ -15,6 +15,9 @@ on: # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1 - cron: "0 10 * * 1" +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/lib/content/pull-request-yml.hbs b/lib/content/pull-request-yml.hbs index f7552b76..bb355b98 100644 --- a/lib/content/pull-request-yml.hbs +++ b/lib/content/pull-request-yml.hbs @@ -8,6 +8,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: commitlint: {{> jobYml jobName="Lint Commits" jobCheckout=(obj fetch-depth=0) }} diff --git a/lib/content/release-integration-yml.hbs b/lib/content/release-integration-yml.hbs index 807d1279..85938eab 100644 --- a/lib/content/release-integration-yml.hbs +++ b/lib/content/release-integration-yml.hbs @@ -19,6 +19,10 @@ on: required: true {{/if}} +permissions: + contents: read + id-token: write + jobs: publish: {{> jobReleaseIntegrationYml }} diff --git a/lib/content/release-yml.hbs b/lib/content/release-yml.hbs index 7fc88e57..d9ad77e8 100644 --- a/lib/content/release-yml.hbs +++ b/lib/content/release-yml.hbs @@ -186,6 +186,7 @@ jobs: uses: ./.github/workflows/release-integration.yml {{#if publish}} permissions: + contents: read id-token: write secrets: PUBLISH_TOKEN: $\{{ secrets.PUBLISH_TOKEN }} diff --git a/package.json b/package.json index b29a94a9..211ba6c1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@npmcli/template-oss", - "version": "4.24.1", + "version": "4.24.2", "description": "templated files used in npm CLI team oss projects", "main": "lib/content/index.js", "bin": { diff --git a/tap-snapshots/test/apply/source-snapshots.js.test.cjs b/tap-snapshots/test/apply/source-snapshots.js.test.cjs index 131b7dbc..d6025401 100644 --- a/tap-snapshots/test/apply/source-snapshots.js.test.cjs +++ b/tap-snapshots/test/apply/source-snapshots.js.test.cjs @@ -356,6 +356,9 @@ on: # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1 - cron: "0 8 * * 1" +permissions: + contents: read + jobs: audit: name: Audit Dependencies @@ -410,6 +413,10 @@ on: required: true type: string +permissions: + contents: read + checks: write + jobs: lint-all: name: Lint All @@ -546,6 +553,9 @@ on: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 - cron: "0 9 * * 1" +permissions: + contents: read + jobs: lint: name: Lint @@ -651,6 +661,9 @@ on: # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1 - cron: "0 10 * * 1" +permissions: + contents: read + jobs: analyze: name: Analyze @@ -813,6 +826,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: commitlint: name: Lint Commits @@ -872,6 +888,10 @@ on: type: string description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version' +permissions: + contents: read + id-token: write + jobs: publish: name: Check Publish @@ -1797,6 +1817,9 @@ on: # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1 - cron: "0 8 * * 1" +permissions: + contents: read + jobs: audit: name: Audit Dependencies @@ -1851,6 +1874,9 @@ on: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 - cron: "0 9 * * 1" +permissions: + contents: read + jobs: lint: name: Lint @@ -1957,6 +1983,9 @@ on: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 - cron: "0 9 * * 1" +permissions: + contents: read + jobs: lint: name: Lint @@ -2063,6 +2092,10 @@ on: required: true type: string +permissions: + contents: read + checks: write + jobs: lint-all: name: Lint All @@ -2205,6 +2238,9 @@ on: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 - cron: "0 9 * * 1" +permissions: + contents: read + jobs: lint: name: Lint @@ -2310,6 +2346,9 @@ on: # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1 - cron: "0 10 * * 1" +permissions: + contents: read + jobs: analyze: name: Analyze @@ -2472,6 +2511,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: commitlint: name: Lint Commits @@ -2531,6 +2573,10 @@ on: type: string description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version' +permissions: + contents: read + id-token: write + jobs: publish: name: Check Publish @@ -3526,6 +3572,9 @@ on: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 - cron: "0 9 * * 1" +permissions: + contents: read + jobs: lint: name: Lint @@ -3632,6 +3681,9 @@ on: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 - cron: "0 9 * * 1" +permissions: + contents: read + jobs: lint: name: Lint @@ -3738,6 +3790,10 @@ on: required: true type: string +permissions: + contents: read + checks: write + jobs: lint-all: name: Lint All @@ -3996,6 +4052,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: commitlint: name: Lint Commits @@ -4055,6 +4114,10 @@ on: type: string description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version' +permissions: + contents: read + id-token: write + jobs: publish: name: Check Publish diff --git a/tap-snapshots/test/check/diff-snapshots.js.test.cjs b/tap-snapshots/test/check/diff-snapshots.js.test.cjs index 8f11fd55..9990c2bb 100644 --- a/tap-snapshots/test/check/diff-snapshots.js.test.cjs +++ b/tap-snapshots/test/check/diff-snapshots.js.test.cjs @@ -99,23 +99,23 @@ The repo file audit.yml needs to be updated: [@npmcli/template-oss ERROR] There was an erroring getting the target file [@npmcli/template-oss ERROR] Error: {{ROOT}}/.tap/fixtures/test-check-diff-snapshots.js-update-and-remove-errors/.github/workflows/audit.yml - YAMLParseError: Implicit keys need to be on a single line at line 42, column 1: + YAMLParseError: Implicit keys need to be on a single line at line 45, column 1: run: npm audit --audit-level=none >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<< ^ - YAMLParseError: Block scalar header includes extra characters: >>>>I at line 42, column 2: + YAMLParseError: Block scalar header includes extra characters: >>>>I at line 45, column 2: >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<< ^ - YAMLParseError: Not a YAML token: HOPE THIS IS NOT VALID YAML<<<<<<<<<<< at line 42, column 7: + YAMLParseError: Not a YAML token: HOPE THIS IS NOT VALID YAML<<<<<<<<<<< at line 45, column 7: >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<< ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - YAMLParseError: Implicit map keys need to be followed by map values at line 42, column 1: + YAMLParseError: Implicit map keys need to be followed by map values at line 45, column 1: run: npm audit --audit-level=none >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<< @@ -134,6 +134,9 @@ The repo file audit.yml needs to be updated: # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1 - cron: "0 8 * * 1" + permissions: + contents: read + jobs: audit: name: Audit Dependencies @@ -175,7 +178,7 @@ The repo file ci.yml needs to be updated: .github/workflows/ci.yml ======================================== - @@ -97,4 +97,24 @@ + @@ -100,4 +100,24 @@ shell: \${{ matrix.platform.shell }} steps: - name: Checkout