diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index b341723..3e6de3a 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -7,8 +7,7 @@ on: - "bugfix/**" - "hotfix/**" -permissions: read-all - +permissions: {} jobs: build-and-test: diff --git a/.github/workflows/codequality.yml b/.github/workflows/codequality.yml index 32d8cfb..767f259 100644 --- a/.github/workflows/codequality.yml +++ b/.github/workflows/codequality.yml @@ -11,9 +11,8 @@ on: - main types: [opened, synchronize, reopened, ready_for_review] -permissions: read-all +permissions: {} - jobs: quality: permissions: @@ -37,6 +36,7 @@ jobs: permissions: contents: read actions: read + id-token: write security-events: write uses: frasermolyneux/actions/.github/workflows/devops-secure-scanning.yml@main diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 954e278..866ae88 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -11,7 +11,7 @@ on: paths: - .github/workflows/copilot-setup-steps.yml -permissions: read-all +permissions: {} jobs: # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index f8ec9fe..7b38a3b 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -1,9 +1,7 @@ name: Dependabot Auto-Merge on: pull_request - -permissions: read-all - +permissions: {} jobs: dependabot: @@ -19,7 +17,7 @@ jobs: with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Enable auto-merge for Dependabot PRs - run: gh pr merge --auto --merge "$PR_URL" + run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml index 2035d56..690ec2d 100644 --- a/.github/workflows/pr-verify.yml +++ b/.github/workflows/pr-verify.yml @@ -6,8 +6,7 @@ on: - main types: [opened, synchronize, reopened, ready_for_review] -permissions: read-all - +permissions: {} jobs: build-and-test: diff --git a/.github/workflows/release-publish-nuget.yml b/.github/workflows/release-publish-nuget.yml index dec8556..f978147 100644 --- a/.github/workflows/release-publish-nuget.yml +++ b/.github/workflows/release-publish-nuget.yml @@ -7,9 +7,7 @@ on: types: - completed - -permissions: read-all - +permissions: {} jobs: publish-nuget-packages: diff --git a/.github/workflows/release-version-and-tag.yml b/.github/workflows/release-version-and-tag.yml index be14aa4..6e39324 100644 --- a/.github/workflows/release-version-and-tag.yml +++ b/.github/workflows/release-version-and-tag.yml @@ -8,9 +8,7 @@ on: paths: - 'src/**' - -permissions: read-all - +permissions: {} jobs: calculate-version: