Add permissions for workflows and update 3rd party actions

Joonas Hiltunen · Jontzii · commit 64d29b8dec3d · 2025-12-10T07:49:16.000+02:00
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -4,10 +4,13 @@ on:
   push:
     branches:
       - main
-      - "releases/**"
+      - releases/**
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run_unit_tests:
     name: Run unit tests
@@ -25,7 +28,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v6
     with:
       docker_image_name: jore4-auth
       build_arm64_image: true
diff --git a/.github/workflows/check-renovatebot-config.yml b/.github/workflows/check-renovatebot-config.yml
@@ -3,9 +3,12 @@ name: Check renovatebot config
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate renovatebot config
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v2
     with:
       config_file_path: .github/renovate.json5
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,17 +4,20 @@ on:
   # this workflow is only called by others, won't be executed on itself
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Run auth backend tests
     runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: "17"
           java-package: jdk
diff --git a/.github/workflows/ktlint.yml b/.github/workflows/ktlint.yml
@@ -1,19 +1,22 @@
-name: 'ktlint'
+name: ktlint
 on:
   # this workflow is only called by others, won't be executed on itself
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   spotless:
     name: Check code is formatted with ktlint
     runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: "17"
           java-package: jdk
