From 345971521a0a36524bc4baadbcea1e09ef64346c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Burzy=C5=84ski?= Date: Tue, 2 Jun 2026 10:37:53 +0200 Subject: [PATCH 1/2] Use internal bot for versioning --- .github/workflows/publish.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2723f27..c0c33ab 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,6 +16,7 @@ jobs: version: name: Version runs-on: ubuntu-latest + environment: version timeout-minutes: 10 outputs: hasChangesets: ${{ steps.changesets.outputs.hasChangesets }} @@ -32,9 +33,17 @@ jobs: with: skip-cache: true # avoid cache poisoning attacks + - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + id: app-token + with: + client-id: ${{ vars.APP_CLIENT_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Create or update release pull request id: changesets uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0 + with: + github-token: ${{ steps.app-token.outputs.token }} publish: name: Publish From 7489b7c2097c0fdea393cc591776ae310e1b5136 Mon Sep 17 00:00:00 2001 From: bluwy Date: Wed, 10 Jun 2026 00:04:50 +0800 Subject: [PATCH 2/2] Match core repo --- .github/workflows/ci.yml | 3 +++ .github/workflows/publish.yml | 11 +++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59e13c2..4e73b0f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,9 @@ on: merge_group: branches: - main + - next + # merge group rulesets don't allow wildcards so in settings each maintenance branch needs to be added separately + - "maintenance/v*" # branch rulesets don't support v[0-9]+ permissions: contents: read diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3b8efb2..5e85093 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,13 +4,15 @@ on: push: branches: - main + - next + - "maintenance/v*" # branch rulesets don't support v[0-9]+ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false queue: max -permissions: {} +permissions: {} # each job should define its own permission explicitly jobs: version: @@ -21,8 +23,7 @@ jobs: outputs: hasChangesets: ${{ steps.changesets.outputs.hasChangesets }} permissions: - contents: write # to create version commits (changesets/action) - pull-requests: write # to create pull request (changesets/action) + contents: read # to check out repo (actions/checkout) steps: - name: Check out repo uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 @@ -33,11 +34,13 @@ jobs: with: skip-cache: true # avoid cache poisoning attacks - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: client-id: ${{ vars.APP_CLIENT_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} + permission-contents: write # to create version commits (changesets/action) + permission-pull-requests: write # to create pull request (changesets/action) - name: Create or update release pull request id: changesets