diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59e13c2..4e73b0f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,9 @@ on: merge_group: branches: - main + - next + # merge group rulesets don't allow wildcards so in settings each maintenance branch needs to be added separately + - "maintenance/v*" # branch rulesets don't support v[0-9]+ permissions: contents: read diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c2cb3c4..5e85093 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,24 +4,26 @@ on: push: branches: - main + - next + - "maintenance/v*" # branch rulesets don't support v[0-9]+ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false queue: max -permissions: {} +permissions: {} # each job should define its own permission explicitly jobs: version: name: Version runs-on: ubuntu-latest + environment: version timeout-minutes: 10 outputs: hasChangesets: ${{ steps.changesets.outputs.hasChangesets }} permissions: - contents: write # to create version commits (changesets/action) - pull-requests: write # to create pull request (changesets/action) + contents: read # to check out repo (actions/checkout) steps: - name: Check out repo uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 @@ -32,9 +34,19 @@ jobs: with: skip-cache: true # avoid cache poisoning attacks + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + id: app-token + with: + client-id: ${{ vars.APP_CLIENT_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + permission-contents: write # to create version commits (changesets/action) + permission-pull-requests: write # to create pull request (changesets/action) + - name: Create or update release pull request id: changesets uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0 + with: + github-token: ${{ steps.app-token.outputs.token }} publish: name: Publish