From 826fae58e6bdabd5970770098af884f38c6b9b18 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Wed, 8 Apr 2026 17:18:22 -0700 Subject: [PATCH 1/2] ci: update permissions to be explicit --- .github/FUNDING.yml | 3 --- .github/workflows/ci.yml | 12 ++++++++++++ .github/workflows/codeql.yml | 4 ++++ .github/workflows/publish.yml | 5 +++++ 4 files changed, 21 insertions(+), 3 deletions(-) delete mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index 53e71ae..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1,3 +0,0 @@ -# These are supported funding model platforms - -github: msimerson diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9054b6f..bd5d7e5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,9 +11,13 @@ env: jobs: lint: + permissions: + contents: read uses: NicTool/.github/.github/workflows/lint.yml@main coverage: + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Start MySQL @@ -37,6 +41,8 @@ jobs: github-token: ${{ secrets.github_token }} get-lts: + permissions: + contents: read runs-on: ubuntu-latest steps: - id: get @@ -49,6 +55,8 @@ jobs: min: ${{ steps.get.outputs.min }} test: + permissions: + contents: read needs: [ get-lts ] runs-on: ${{ matrix.os }} strategy: @@ -67,6 +75,8 @@ jobs: - run: npm test test-mac: + permissions: + contents: read needs: [ get-lts ] runs-on: macos-latest strategy: @@ -88,6 +98,8 @@ jobs: - run: npm test test-win: + permissions: + contents: read needs: [ get-lts ] runs-on: windows-latest strategy: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 46e21d1..bddfa1e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,4 +11,8 @@ on: jobs: codeql: + permissions: + actions: read + contents: read + security-events: write uses: NicTool/.github/.github/workflows/codeql.yml@main diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5fb3fdf..897946c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,6 +10,8 @@ env: jobs: build: + permissions: + contents: read runs-on: ubuntu-latest steps: - run: sudo /etc/init.d/mysql start @@ -22,6 +24,9 @@ jobs: - run: npm test publish-npm: + permissions: + contents: read + id-token: write needs: build runs-on: ubuntu-latest steps: From e917430ae8f9ee6254505fbe09c5323d42393ab1 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Wed, 8 Apr 2026 17:19:51 -0700 Subject: [PATCH 2/2] ci: only test active node version on mac/win --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bd5d7e5..f215e45 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,7 +81,7 @@ jobs: runs-on: macos-latest strategy: matrix: - node-version: ${{ fromJson(needs.get-lts.outputs.lts) }} + node-version: ${{ fromJson(needs.get-lts.outputs.active) }} fail-fast: false steps: - name: Install & Start MySQL @@ -104,7 +104,7 @@ jobs: runs-on: windows-latest strategy: matrix: - node-version: ${{ fromJson(needs.get-lts.outputs.lts) }} + node-version: ${{ fromJson(needs.get-lts.outputs.active) }} experimental: [true] fail-fast: false steps: