chore: add workflow permissions (#368)

Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: jkowalleck <[email protected]>
Co-authored-by: jkowalleck <[email protected]>

Author: jkowalleck

.github/workflows/nodejs.yml

@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   # https://nodejs.dev/en/about/releases/
   NODE_ACTIVE_LTS: "22"

.github/workflows/release.yml

@@ -28,6 +28,8 @@ on:
         default: false
         required: false
 
+permissions: {}
+
 env:
   # https://nodejs.dev/en/about/releases/
   NODE_ACTIVE_LTS: "22"
@@ -41,6 +43,8 @@ jobs:
       version_plain: ${{ steps.bump.outputs.version_plain }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write  # needed for git push
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
@@ -73,6 +77,7 @@ jobs:
           NPMV_PREID: ${{ github.event.inputs.preid }}
       - name: git push back
         run: git push --follow-tags
+
   publish-NPMJS:
     needs:
       - "bump"
@@ -102,13 +107,16 @@ jobs:
       - name: publish to NPMJS as "unstable-prerelease"
         if: ${{ github.event.inputs.prerelease == 'true' }}
         run: npm publish --provenance --access public --tag 'unstable-prerelease'
+
   release-GH:
     needs:
       - "bump"
       - "publish-NPMJS"
     name: publish GitHub
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write  # create a release
     steps:
       - name: Create Release
         id: release

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/bom",
-  "version": "4.1.1-alpha.0",
+  "version": "4.1.2-alpha.0",
   "description": "Meta-package for known CycloneDX Software Bill of Materials (SBOM) generators",
   "license": "Apache-2.0",
   "homepage": "https://github.com/CycloneDX/cyclonedx-node-module#readme",