Conversation
Bumps and [minimatch](https://github.com/isaacs/minimatch). These dependencies needed to be updated together. Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…fcd984 Bump minimatch
There was a problem hiding this comment.
Pull request overview
This PR performs a March dependency refresh for @next2d/view-generator and adjusts GitHub Actions so publishing on main is gated by the existing lint workflow.
Changes:
- Bump package version to
4.0.1and update several dev dependencies (ESLint + TypeScript ESLint) and@types/node. - Update
package-lock.jsonto match the dependency changes. - Update CI so
publish.ymlruns the reusablelint.ymlworkflow first, and addworkflow_callsupport tolint.yml.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
package.json |
Patch version bump and dependency updates. |
package-lock.json |
Lockfile updates reflecting new dependency graph/versions. |
.github/workflows/publish.yml |
Adds a lint reusable-workflow job and gates publish on lint completion; updates job permissions. |
.github/workflows/lint.yml |
Adds workflow_call trigger and adjusts push branch trigger/permissions to support reuse. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
pull-requests: write is being granted to the publish job, but this workflow only runs on push to main and the steps shown don’t interact with PRs. This extra permission increases repo risk; please remove it unless a later step truly needs to write to PRs.
| pull-requests: write |
| lint: | ||
| uses: ./.github/workflows/lint.yml | ||
|
|
There was a problem hiding this comment.
Since the workflow has permissions: id-token: write at the top level and you added a lint job that calls the reusable lint workflow, that lint job will also receive OIDC token write access. For least privilege, consider moving id-token: write to only the publish job (and keeping the workflow/job default to contents: read), or explicitly setting minimal permissions on the lint job.
No description provided.