From a1827af2f15ee7675d936c922cca5d8072db250d Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Tue, 12 May 2026 16:45:53 +0200 Subject: [PATCH 1/2] refactor(ci): update centralized workflow references to common- prefix check-semantic-pr.yml and build-docs.yml were renamed to common-check-semantic-pr.yml and common-build-docs.yml in reqstool/.github as part of the workflow directory flatten refactor. Signed-off-by: Jimisola Laursen --- .github/workflows/build-docs.yml | 2 +- .github/workflows/check-semantic-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml index abb7f9f..1d811fe 100644 --- a/.github/workflows/build-docs.yml +++ b/.github/workflows/build-docs.yml @@ -12,4 +12,4 @@ on: jobs: build: - uses: reqstool/.github/.github/workflows/build-docs.yml@main + uses: reqstool/.github/.github/workflows/common-build-docs.yml@main diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 5bacd57..7e27d90 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -7,4 +7,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main + uses: reqstool/.github/.github/workflows/common-check-semantic-pr.yml@main From 4ea70bd0d61847d584f63f934a1629034527d7b6 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Tue, 12 May 2026 21:13:53 +0200 Subject: [PATCH 2/2] fix(ci): add explicit permissions blocks to workflow wrappers Fixes CodeQL alert: workflow does not limit GITHUB_TOKEN permissions. Signed-off-by: Jimisola Laursen --- .github/workflows/build-docs.yml | 3 +++ .github/workflows/check-semantic-pr.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml index 1d811fe..675a55b 100644 --- a/.github/workflows/build-docs.yml +++ b/.github/workflows/build-docs.yml @@ -10,6 +10,9 @@ on: paths: - "docs/**" +permissions: + contents: read + jobs: build: uses: reqstool/.github/.github/workflows/common-build-docs.yml@main diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 7e27d90..81a00ea 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -5,6 +5,9 @@ on: pull_request_target: types: [opened, edited, synchronize, reopened] +permissions: + pull-requests: read + jobs: check: uses: reqstool/.github/.github/workflows/common-check-semantic-pr.yml@main