From 31423c8e570c7564dba59e03b044dd4fb7aca55c Mon Sep 17 00:00:00 2001
From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com>
Date: Sat, 14 Feb 2026 14:22:08 +0000
Subject: [PATCH 1/2] chore: update global workflows

---
 .github/workflows/_codeql.yml      | 11 ++++++-----
 .github/workflows/_common-lint.yml |  5 +++--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml
index 15c5a6f..5569a2e 100644
--- a/.github/workflows/_codeql.yml
+++ b/.github/workflows/_codeql.yml
@@ -4,16 +4,13 @@
 # the above-mentioned repo.
 
 name: CodeQL
-permissions:
-  actions: read
-  contents: read
-  security-events: write
+permissions: {}
 
 on:
+  pull_request:
   push:
     branches:
       - master
-  pull_request:
   schedule:
     - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC
 
@@ -26,3 +23,7 @@ jobs:
     name: CodeQL
     uses: LizardByte/.github/.github/workflows/__call-codeql.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
diff --git a/.github/workflows/_common-lint.yml b/.github/workflows/_common-lint.yml
index 80be0cc..e7760cb 100644
--- a/.github/workflows/_common-lint.yml
+++ b/.github/workflows/_common-lint.yml
@@ -4,8 +4,7 @@
 # the above-mentioned repo.
 
 name: common lint
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -19,3 +18,5 @@ jobs:
     name: Common Lint
     uses: LizardByte/.github/.github/workflows/__call-common-lint.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      contents: read

From 3ae7f5668aacf46165ee70af008d95354df899ca Mon Sep 17 00:00:00 2001
From: David Lane <42013603+ReenigneArcher@users.noreply.github.com>
Date: Sat, 14 Feb 2026 09:44:07 -0500
Subject: [PATCH 2/2] Refactor CI workflow to pass GH_BOT_NAME as input

Removed GH_BOT_NAME from secrets and added it to inputs.
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6f24aa1..505caa3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -122,6 +122,7 @@ jobs:
       packages: write
     uses: LizardByte/.github/.github/workflows/__call-docker.yml@master
     with:
+      gh_bot_name: ${{ vars.GH_BOT_NAME }}
       maximize_build_space: false
       publish_release: ${{ needs.release-setup.outputs.publish_release }}
       release_commit: ${{ needs.release-setup.outputs.release_commit }}
@@ -131,7 +132,6 @@ jobs:
       DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
       DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
       DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
-      GH_BOT_NAME: ${{ vars.GH_BOT_NAME }}
       GH_BOT_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}