From a9cbff8452500eb0e962edfede0c6dc7ddec4c76 Mon Sep 17 00:00:00 2001
From: Jimisola Laursen <jimisola@jimisola.com>
Date: Tue, 12 May 2026 16:45:53 +0200
Subject: [PATCH 1/2] refactor(ci): update centralized workflow references to
 common- prefix

check-semantic-pr.yml and build-docs.yml were renamed to
common-check-semantic-pr.yml and common-build-docs.yml in
reqstool/.github as part of the workflow directory flatten refactor.

Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
---
 .github/workflows/build-docs.yml        | 2 +-
 .github/workflows/check-semantic-pr.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
index abb7f9f..1d811fe 100644
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -12,4 +12,4 @@ on:
 
 jobs:
   build:
-    uses: reqstool/.github/.github/workflows/build-docs.yml@main
+    uses: reqstool/.github/.github/workflows/common-build-docs.yml@main
diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
index 459b868..b6694ba 100644
--- a/.github/workflows/check-semantic-pr.yml
+++ b/.github/workflows/check-semantic-pr.yml
@@ -5,4 +5,4 @@ on:
 
 jobs:
   check:
-    uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main
+    uses: reqstool/.github/.github/workflows/common-check-semantic-pr.yml@main

From 4761ddd5d4fbdbda5d5ff4ff8aa4f4678967c920 Mon Sep 17 00:00:00 2001
From: Jimisola Laursen <jimisola@jimisola.com>
Date: Tue, 12 May 2026 21:13:54 +0200
Subject: [PATCH 2/2] fix(ci): add explicit permissions blocks to workflow
 wrappers

Fixes CodeQL alert: workflow does not limit GITHUB_TOKEN permissions.

Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
---
 .github/workflows/build-docs.yml        | 3 +++
 .github/workflows/check-semantic-pr.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
index 1d811fe..675a55b 100644
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -10,6 +10,9 @@ on:
     paths:
       - "docs/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: reqstool/.github/.github/workflows/common-build-docs.yml@main
diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
index b6694ba..be165e5 100644
--- a/.github/workflows/check-semantic-pr.yml
+++ b/.github/workflows/check-semantic-pr.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  pull-requests: read
+
 jobs:
   check:
     uses: reqstool/.github/.github/workflows/common-check-semantic-pr.yml@main