chore: add workflow permissions (#1392)

jkowalleck · web-flow · commit 7faa73d33d46 · 2025-05-26T14:13:56.000+02:00
Signed-off-by: Jan Kowalleck &lt;jan.kowalleck@gmail.com&gt;
Signed-off-by: jkowalleck &lt;jkowalleck@users.noreply.github.com&gt;
Co-authored-by: jkowalleck &lt;jkowalleck@users.noreply.github.com&gt;
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -18,6 +18,8 @@ concurrency:
   group: '${{ github.workflow }}-${{ github.ref }}'
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   REPORTS_DIR: CI_reports
   NODE_ACTIVE_LTS: "22" # https://nodejs.org/en/about/releases/
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,7 +28,7 @@ on:
         default: false
         required: false
 
-permissions: write-all
+permissions: {}
 
 env:
   REPORTS_DIR: CI_reports
@@ -45,6 +45,8 @@ jobs:
       version_plain: ${{ steps.bump.outputs.version_plain }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write  # needed for git push
     steps:
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
@@ -90,6 +92,8 @@ jobs:
     name: publish package
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      id-token: write  # Enables provenance signing via OIDC
     env:
       PACKAGE_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }}
     steps:
@@ -150,6 +154,8 @@ jobs:
     name: publish GitHub
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write  # create a release
     env:
       ASSETS_DIR: release_assets
     steps:
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/webpack-plugin",
-  "version": "5.0.1",
+  "version": "5.0.2-alpha.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBoM) from webpack projects",
   "license": "Apache-2.0",
   "copyright": "Copyright OWASP Foundation",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@cyclonedx/webpack-plugin",`
`3`		`- "version": "5.0.1",`
	`3`	`+ "version": "5.0.2-alpha.0",`
`4`	`4`	`"description": "Creates CycloneDX Software Bill of Materials (SBoM) from webpack projects",`
`5`	`5`	`"license": "Apache-2.0",`
`6`	`6`	`"copyright": "Copyright OWASP Foundation",`