diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..ca79ca5b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 45bb1d37..a1e000e0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,8 @@ on: - main pull_request: +permissions: {} + # Automatically cancel in-progress actions on the same branch concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -14,8 +16,7 @@ concurrency: jobs: scripts: if: github.repository_owner == 'bombshell-dev' - uses: bombshell-dev/automation/.github/workflows/run.yml@main - secrets: inherit + uses: bombshell-dev/automation/.github/workflows/run.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9 # main as of 2026-05-12 with: commands: > [ diff --git a/.github/workflows/detect-agent.yml b/.github/workflows/detect-agent.yml index 0d8c17b4..a8023a17 100644 --- a/.github/workflows/detect-agent.yml +++ b/.github/workflows/detect-agent.yml @@ -5,15 +5,19 @@ on: types: [opened] workflow_dispatch: {} -permissions: - issues: write - pull-requests: write +permissions: {} jobs: detect: - if: github.event_name != 'workflow_dispatch' - uses: bombshell-dev/automation/.github/workflows/detect-agent.yml@main + if: github.repository_owner == 'bombshell-dev' && github.event_name != 'workflow_dispatch' + uses: bombshell-dev/automation/.github/workflows/detect-agent.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9 # main as of 2026-05-12 + permissions: + issues: write + pull-requests: write backfill: - if: github.event_name == 'workflow_dispatch' - uses: bombshell-dev/automation/.github/workflows/detect-agent-backfill.yml@main + if: github.repository_owner == 'bombshell-dev' && github.event_name == 'workflow_dispatch' + uses: bombshell-dev/automation/.github/workflows/detect-agent-backfill.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9 # main as of 2026-05-12 + permissions: + issues: write + pull-requests: write diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 867c2c3c..d2c37fc6 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -6,11 +6,15 @@ on: branches: - main +permissions: {} + jobs: format: if: github.repository_owner == 'bombshell-dev' - uses: bombshell-dev/automation/.github/workflows/format.yml@main + uses: bombshell-dev/automation/.github/workflows/format.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9 # main as of 2026-05-12 permissions: contents: write pull-requests: write - secrets: inherit + secrets: + BOT_APP_ID: ${{ secrets.BOT_APP_ID }} + BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }} diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml index f35f934e..6a455431 100644 --- a/.github/workflows/issue.yml +++ b/.github/workflows/issue.yml @@ -4,13 +4,19 @@ on: issues: types: [opened, edited, labeled, reopened] +permissions: {} + jobs: backlog: if: github.event.action == 'edited' || github.event.action == 'labeled' - uses: bombshell-dev/automation/.github/workflows/move-issue-to-backlog.yml@main - secrets: inherit + uses: bombshell-dev/automation/.github/workflows/move-issue-to-backlog.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9 # main as of 2026-05-12 + secrets: + BOT_APP_ID: ${{ secrets.BOT_APP_ID }} + BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }} project: if: github.event.action == 'opened' || github.event.action == 'reopened' - uses: bombshell-dev/automation/.github/workflows/add-issue-to-project.yml@main - secrets: inherit + uses: bombshell-dev/automation/.github/workflows/add-issue-to-project.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9 # main as of 2026-05-12 + secrets: + BOT_APP_ID: ${{ secrets.BOT_APP_ID }} + BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }} diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml index c63fdbe7..4131d210 100644 --- a/.github/workflows/preview.yml +++ b/.github/workflows/preview.yml @@ -5,14 +5,16 @@ on: branches: - main pull_request: + types: [opened, synchronize, reopened] workflow_dispatch: +permissions: {} jobs: preview: if: github.repository_owner == 'bombshell-dev' - uses: bombshell-dev/automation/.github/workflows/preview.yml@main - permissions: + uses: bombshell-dev/automation/.github/workflows/preview.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9 # main as of 2026-05-12 + permissions: contents: write pull-requests: write id-token: write diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 4fb71b2c..9b152449 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,14 +5,17 @@ on: branches: [main, v0] workflow_dispatch: -permissions: - id-token: write - contents: write - pull-requests: write - packages: write +permissions: {} jobs: publish: if: github.repository_owner == 'bombshell-dev' - uses: bombshell-dev/automation/.github/workflows/publish.yml@main - secrets: inherit + uses: bombshell-dev/automation/.github/workflows/publish.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9 # main as of 2026-05-12 + permissions: + id-token: write + contents: write + pull-requests: write + packages: write + secrets: + BOT_APP_ID: ${{ secrets.BOT_APP_ID }} + BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }} diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml index f27f177c..394e40b2 100644 --- a/.github/workflows/require-allow-edits.yml +++ b/.github/workflows/require-allow-edits.yml @@ -1,18 +1,17 @@ -name: Require “Allow Edits” +name: Require "Allow Edits" on: [pull_request_target] -permissions: - contents: read +permissions: {} jobs: _: permissions: pull-requests: read - name: "Require “Allow Edits”" + name: "Require \"Allow Edits\"" runs-on: ubuntu-latest steps: - - uses: ljharb/require-allow-edits@v2 + - uses: ljharb/require-allow-edits@be4a9d13001dfa5bfc10af68313bad753d7bdc6a # v2