Try to fix releases by adding permissions and upgradeing node version (#25)

Author: gromdimon

.github/workflows/hotfix.yml

@@ -13,19 +13,27 @@ env:
 
 jobs:
   semantic-release:
-    if: "!startsWith(github.ref, 'refs/tags/') && contains(github.event.head_commit.message, '[hotfix]')"
+    if: "!startsWith(github.ref, 'refs/tags/') && contains(github.event.head_commit.message, 'hotfix:')"
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: '16'
+          node-version: "lts/*"
 
       - name: Install dependencies
-        run: npm ci
+        run: npm clean-install
+
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
 
       - name: Run Semantic Release for Hotfix
         env:
@@ -67,9 +75,12 @@ jobs:
           platforms: linux/amd64,linux/arm64
 
   cherry-pick:
-    if: contains(github.event.head_commit.message, '[hotfix]') && startsWith(github.ref, 'refs/heads/main')
+    if: contains(github.event.head_commit.message, 'hotfix:') && startsWith(github.ref, 'refs/heads/main')
     runs-on: ubuntu-latest
     needs: docker-build
+    permissions:
+      contents: write # to be able to push to the main branch
+      pull-requests: write # to be able to create a pull request
     steps:
       - name: Checkout main branch
         uses: actions/checkout@v4

.github/workflows/release.yml

@@ -14,18 +14,26 @@ env:
 jobs:
   semantic-release:
     if: "!startsWith(github.ref, 'refs/tags/')"
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: '16'
+          node-version: "lts/*"
 
       - name: Install dependencies
-        run: npm ci
+        run: npm clean-install
+
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
 
       - name: Run Semantic Release
         env: