Add permissions for workflows and update 3rd party actions

Jontzii · Jontzii · commit f6878888158b · 2025-12-10T07:52:55.000+02:00
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -4,10 +4,13 @@ on:
   push:
     branches:
       - main
-      - "releases/**"
+      - releases/**
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run_kotlin_tests:
     name: Run Kotlin tests
@@ -20,7 +23,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v6
     with:
       docker_image_name: jore4-map-matching
       build_arm64_image: true
diff --git a/.github/workflows/check-renovatebot-config.yml b/.github/workflows/check-renovatebot-config.yml
@@ -3,9 +3,12 @@ name: Check renovatebot config
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate renovatebot config
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v2
     with:
       config_file_path: .github/renovate.json5
diff --git a/.github/workflows/generate-jooq.yml b/.github/workflows/generate-jooq.yml
@@ -4,9 +4,12 @@ on:
   push:
     branches:
       - main
-      - "releases/**"
+      - releases/**
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -17,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up JDK 17
         uses: actions/setup-java@v5
diff --git a/.github/workflows/run-kotlin-tests.yml b/.github/workflows/run-kotlin-tests.yml
@@ -4,6 +4,9 @@ on:
   # this workflow is only called by others, won't be executed on itself
   workflow_call:
 
+permissions:
+  contents: read
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -14,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Start database dependencies
         run: ./development.sh start:deps
diff --git a/.github/workflows/test-docker-compose.yml b/.github/workflows/test-docker-compose.yml
@@ -4,9 +4,12 @@ on:
   push:
     branches:
       - main
-      - "releases/**"
+      - releases/**
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -17,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Start the database and the map-matching service
         run: ./development.sh start
