From 86bffec0e67195133481619f8248b3050645fc04 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 17:58:59 +0000 Subject: [PATCH 01/22] ci(release): Switch from action-prepare-release to Craft This PR migrates from the deprecated action-prepare-release to the new Craft GitHub Actions (reusable workflow or composite action). Changes: - Migrate .github/workflows/release.yml to Craft reusable workflow --- .github/workflows/changelog-preview.yml | 13 +++++++++ .github/workflows/release.yml | 35 +++++++------------------ 2 files changed, 23 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/changelog-preview.yml diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml new file mode 100644 index 0000000000..1ed1021302 --- /dev/null +++ b/.github/workflows/changelog-preview.yml @@ -0,0 +1,13 @@ +name: Changelog Preview +on: + pull_request: + types: + - opened + - synchronize + - reopened + - edited + - labeled +jobs: + changelog-preview: + uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dc6b543761..aac4158827 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,34 +3,19 @@ on: workflow_dispatch: inputs: version: - description: Version to release - required: true + description: Version to release (or "auto") + required: false force: - description: Force a release even when there are release-blockers (optional) + description: Force a release even when there are release-blockers required: false merge_target: - description: Target branch to merge into. Uses the default branch as a fallback (optional) + description: Target branch to merge into required: false jobs: release: - runs-on: ubuntu-24.04 - name: 'Release a new version' - steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # 1.6.6 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ github.event.inputs.version }} - force: ${{ github.event.inputs.force }} - merge_target: ${{ github.event.inputs.merge_target }} + uses: getsentry/craft/.github/workflows/release.yml@v2 + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + merge_target: ${{ inputs.merge_target }} + secrets: inherit From 04fd9dc0ea0c6b8eb2c94301ecdcc375ee615d94 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 23:08:47 +0000 Subject: [PATCH 02/22] ci(release): Restore GitHub App token authentication The previous migration incorrectly removed the GitHub App token authentication step. This commit restores it by switching to the composite action pattern which preserves the auth flow. --- .github/workflows/release.yml | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aac4158827..da677fe82f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,9 +13,24 @@ on: required: false jobs: release: - uses: getsentry/craft/.github/workflows/release.yml@v2 - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - merge_target: ${{ inputs.merge_target }} - secrets: inherit + runs-on: ubuntu-latest + name: Release a new version + steps: + - name: Get auth token + id: token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/craft@v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + merge_target: ${{ inputs.merge_target }} From 2e7c5c599ab9b923e777ab39b06125a40bfb07d1 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 00:29:28 +0000 Subject: [PATCH 03/22] fix: Pin actions to SHA and add permissions blocks --- .github/workflows/changelog-preview.yml | 4 ++++ .github/workflows/release-ghcr-latest-tag.yml | 4 ++++ .github/workflows/release-ghcr-version-tag.yml | 4 ++++ .github/workflows/release.yml | 10 +++++++--- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 1ed1021302..5883c004c0 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -7,6 +7,10 @@ on: - reopened - edited - labeled +permissions: + contents: write + pull-requests: write + jobs: changelog-preview: uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 diff --git a/.github/workflows/release-ghcr-latest-tag.yml b/.github/workflows/release-ghcr-latest-tag.yml index fa15eee55b..9774b1e7f6 100644 --- a/.github/workflows/release-ghcr-latest-tag.yml +++ b/.github/workflows/release-ghcr-latest-tag.yml @@ -4,6 +4,10 @@ on: release: types: [released] +permissions: + contents: write + pull-requests: write + jobs: release-ghcr-latest-tag: runs-on: ubuntu-24.04 diff --git a/.github/workflows/release-ghcr-version-tag.yml b/.github/workflows/release-ghcr-version-tag.yml index c57f86135b..c20802a8b9 100644 --- a/.github/workflows/release-ghcr-version-tag.yml +++ b/.github/workflows/release-ghcr-version-tag.yml @@ -4,6 +4,10 @@ on: release: types: [prereleased, released] +permissions: + contents: write + pull-requests: write + jobs: release-ghcr-version-tag: runs-on: ubuntu-24.04 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index da677fe82f..83f2be278f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,10 @@ on: merge_target: description: Target branch to merge into required: false +permissions: + contents: write + pull-requests: write + jobs: release: runs-on: ubuntu-latest @@ -18,16 +22,16 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@v2 + uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From 627ec46c8b0aee9ca806bdeb5ffa060ab25b5568 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:11:42 +0000 Subject: [PATCH 04/22] fix: Add packages:write permission for GHCR workflows --- .github/workflows/release-ghcr-latest-tag.yml | 1 + .github/workflows/release-ghcr-version-tag.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/release-ghcr-latest-tag.yml b/.github/workflows/release-ghcr-latest-tag.yml index 9774b1e7f6..afe2f46afc 100644 --- a/.github/workflows/release-ghcr-latest-tag.yml +++ b/.github/workflows/release-ghcr-latest-tag.yml @@ -5,6 +5,7 @@ on: types: [released] permissions: + packages: write contents: write pull-requests: write diff --git a/.github/workflows/release-ghcr-version-tag.yml b/.github/workflows/release-ghcr-version-tag.yml index c20802a8b9..05c350399c 100644 --- a/.github/workflows/release-ghcr-version-tag.yml +++ b/.github/workflows/release-ghcr-version-tag.yml @@ -5,6 +5,7 @@ on: types: [prereleased, released] permissions: + packages: write contents: write pull-requests: write From e0207bcba124888667a221a09aae90b9c9103d30 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:35:50 +0000 Subject: [PATCH 05/22] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/audit.yml | 2 +- .github/workflows/build.yml | 22 ++++++++++----------- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/rust-toolchain-update.yml | 2 +- .github/workflows/swift-test.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/test_node.yml | 12 +++++------ 9 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index eb62a17ec7..c130fbd702 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Audit dependencies uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # 2.0.0 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f61325bf2e..ac759b980d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,7 +31,7 @@ jobs: image: messense/rust-musl-cross:${{ matrix.container }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Add Rustup Target run: | @@ -67,7 +67,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Add Rustup Target run: rustup target add ${{ matrix.target }} @@ -154,7 +154,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Install `rcodesign` run: | @@ -218,7 +218,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 # When rustup is updated, it tries to replace its binary, which on Windows is somehow locked. # This can result in the CI failure, see: https://github.com/rust-lang/rustup/issues/3029 @@ -250,9 +250,9 @@ jobs: needs: [linux, macos, macos_universal, windows] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version: '20.10.0' @@ -283,7 +283,7 @@ jobs: name: python (base) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Add Rustup Target run: rustup target add x86_64-unknown-linux-musl - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 @@ -301,7 +301,7 @@ jobs: runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows, python-base] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 with: python-version: '3.11' @@ -327,8 +327,8 @@ jobs: runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version: '20.10.0' - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0 @@ -379,7 +379,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # 3.12.0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 08261f0003..0d8ab04f3a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c193ab76c0..8a4e47a0b0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Setup Rust Toolchain run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 83f2be278f..af39fddfb7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/rust-toolchain-update.yml b/.github/workflows/rust-toolchain-update.yml index d1473ba3d2..5ae726b4b2 100644 --- a/.github/workflows/rust-toolchain-update.yml +++ b/.github/workflows/rust-toolchain-update.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/swift-test.yml b/.github/workflows/swift-test.yml index 6721f2fe9d..000913b680 100644 --- a/.github/workflows/swift-test.yml +++ b/.github/workflows/swift-test.yml @@ -13,7 +13,7 @@ jobs: runs-on: macos-15 steps: - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Run tests working-directory: apple-catalog-parsing/native/swift/AssetCatalogParser run: swift test diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2b44dfe1a8..7834c50f3b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Setup Rust Toolchain run: | diff --git a/.github/workflows/test_node.yml b/.github/workflows/test_node.yml index 4f8d3dd107..a12e33433c 100644 --- a/.github/workflows/test_node.yml +++ b/.github/workflows/test_node.yml @@ -17,10 +17,10 @@ jobs: name: Type Check runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Use Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version-file: package.json @@ -41,10 +41,10 @@ jobs: name: Prepare Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Use Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version-file: package.json @@ -78,10 +78,10 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version: ${{ matrix.node-version }} From c33adb14bc1c07f40acd4c06a71696da2e7786ed Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 02:04:50 +0000 Subject: [PATCH 06/22] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/audit.yml | 2 +- .github/workflows/build.yml | 22 ++++++++++----------- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/rust-toolchain-update.yml | 2 +- .github/workflows/swift-test.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/test_node.yml | 12 +++++------ 9 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index c130fbd702..468a1fb940 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Audit dependencies uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # 2.0.0 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac759b980d..a2d7c2591e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,7 +31,7 @@ jobs: image: messense/rust-musl-cross:${{ matrix.container }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Add Rustup Target run: | @@ -67,7 +67,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Add Rustup Target run: rustup target add ${{ matrix.target }} @@ -154,7 +154,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Install `rcodesign` run: | @@ -218,7 +218,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 # When rustup is updated, it tries to replace its binary, which on Windows is somehow locked. # This can result in the CI failure, see: https://github.com/rust-lang/rustup/issues/3029 @@ -250,9 +250,9 @@ jobs: needs: [linux, macos, macos_universal, windows] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 with: node-version: '20.10.0' @@ -283,7 +283,7 @@ jobs: name: python (base) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Add Rustup Target run: rustup target add x86_64-unknown-linux-musl - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 @@ -301,7 +301,7 @@ jobs: runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows, python-base] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 with: python-version: '3.11' @@ -327,8 +327,8 @@ jobs: runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 with: node-version: '20.10.0' - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0 @@ -379,7 +379,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # 3.12.0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0d8ab04f3a..9a99169d46 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8a4e47a0b0..bf76db5035 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Setup Rust Toolchain run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index af39fddfb7..05b1e5c606 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/rust-toolchain-update.yml b/.github/workflows/rust-toolchain-update.yml index 5ae726b4b2..230524da0c 100644 --- a/.github/workflows/rust-toolchain-update.yml +++ b/.github/workflows/rust-toolchain-update.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/swift-test.yml b/.github/workflows/swift-test.yml index 000913b680..d75a4eec99 100644 --- a/.github/workflows/swift-test.yml +++ b/.github/workflows/swift-test.yml @@ -13,7 +13,7 @@ jobs: runs-on: macos-15 steps: - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Run tests working-directory: apple-catalog-parsing/native/swift/AssetCatalogParser run: swift test diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7834c50f3b..2cdb22fca3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Setup Rust Toolchain run: | diff --git a/.github/workflows/test_node.yml b/.github/workflows/test_node.yml index a12e33433c..cea226096a 100644 --- a/.github/workflows/test_node.yml +++ b/.github/workflows/test_node.yml @@ -17,10 +17,10 @@ jobs: name: Type Check runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Use Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 with: node-version-file: package.json @@ -41,10 +41,10 @@ jobs: name: Prepare Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Use Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 with: node-version-file: package.json @@ -78,10 +78,10 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 with: node-version: ${{ matrix.node-version }} From 239d9cbd353a65539bcc27b1c6127e770c1624d7 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Mon, 12 Jan 2026 12:27:32 +0000 Subject: [PATCH 07/22] fix: Clean up action version comments --- .github/workflows/audit.yml | 2 +- .github/workflows/build.yml | 22 ++++++++++----------- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/rust-toolchain-update.yml | 2 +- .github/workflows/swift-test.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/test_node.yml | 12 +++++------ 9 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 468a1fb940..c130fbd702 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Audit dependencies uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # 2.0.0 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a2d7c2591e..ac759b980d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,7 +31,7 @@ jobs: image: messense/rust-musl-cross:${{ matrix.container }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Add Rustup Target run: | @@ -67,7 +67,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Add Rustup Target run: rustup target add ${{ matrix.target }} @@ -154,7 +154,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Install `rcodesign` run: | @@ -218,7 +218,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 # When rustup is updated, it tries to replace its binary, which on Windows is somehow locked. # This can result in the CI failure, see: https://github.com/rust-lang/rustup/issues/3029 @@ -250,9 +250,9 @@ jobs: needs: [linux, macos, macos_universal, windows] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version: '20.10.0' @@ -283,7 +283,7 @@ jobs: name: python (base) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Add Rustup Target run: rustup target add x86_64-unknown-linux-musl - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 @@ -301,7 +301,7 @@ jobs: runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows, python-base] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 with: python-version: '3.11' @@ -327,8 +327,8 @@ jobs: runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 - - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version: '20.10.0' - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0 @@ -379,7 +379,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # 3.12.0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9a99169d46..0d8ab04f3a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index bf76db5035..8a4e47a0b0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Setup Rust Toolchain run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 05b1e5c606..3b221caa38 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/rust-toolchain-update.yml b/.github/workflows/rust-toolchain-update.yml index 230524da0c..5ae726b4b2 100644 --- a/.github/workflows/rust-toolchain-update.yml +++ b/.github/workflows/rust-toolchain-update.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/swift-test.yml b/.github/workflows/swift-test.yml index d75a4eec99..000913b680 100644 --- a/.github/workflows/swift-test.yml +++ b/.github/workflows/swift-test.yml @@ -13,7 +13,7 @@ jobs: runs-on: macos-15 steps: - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Run tests working-directory: apple-catalog-parsing/native/swift/AssetCatalogParser run: swift test diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2cdb22fca3..7834c50f3b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Setup Rust Toolchain run: | diff --git a/.github/workflows/test_node.yml b/.github/workflows/test_node.yml index cea226096a..a12e33433c 100644 --- a/.github/workflows/test_node.yml +++ b/.github/workflows/test_node.yml @@ -17,10 +17,10 @@ jobs: name: Type Check runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Use Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version-file: package.json @@ -41,10 +41,10 @@ jobs: name: Prepare Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Use Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version-file: package.json @@ -78,10 +78,10 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 with: node-version: ${{ matrix.node-version }} From c139dfec3e33de9bdcb36f6d1ffc0185a5478bbd Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 22:45:45 +0000 Subject: [PATCH 08/22] Update Craft SHA to 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3b221caa38..c8f81ad19d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,7 +31,7 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From cdfec0141156337c5c8f8a7684b0bdea067607f7 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:03:10 +0000 Subject: [PATCH 09/22] Add explicit permissions block to build.yml --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac759b980d..1dddf4ce67 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,10 @@ on: branches: - release/** +permissions: + contents: write + pull-requests: write + jobs: linux: strategy: From 426849b8b9d737b583d323882598bc08f39072ff Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:03:12 +0000 Subject: [PATCH 10/22] Add explicit permissions block to ci.yml --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e72e8e06fc..f90c648863 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,10 @@ concurrency: env: RUSTFLAGS: -Dwarnings +permissions: + contents: write + pull-requests: write + jobs: lint: name: Lint From 66d8028d7f0be8485236c1ff514dcce6bb550241 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:03:14 +0000 Subject: [PATCH 11/22] Add explicit permissions block to codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0d8ab04f3a..a020aad6b3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,6 +18,10 @@ on: schedule: - cron: '32 17 * * 4' +permissions: + contents: write + pull-requests: write + jobs: analyze: name: Analyze From 5c739bdddc48801174464737080bee0455e8f304 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:03:17 +0000 Subject: [PATCH 12/22] Add explicit permissions block to rust-toolchain-update.yml --- .github/workflows/rust-toolchain-update.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/rust-toolchain-update.yml b/.github/workflows/rust-toolchain-update.yml index 5ae726b4b2..ae07c09271 100644 --- a/.github/workflows/rust-toolchain-update.yml +++ b/.github/workflows/rust-toolchain-update.yml @@ -5,6 +5,10 @@ on: # Run weekly on Mondays at 00:00 UTC - cron: '0 0 * * 1' +permissions: + contents: write + pull-requests: write + jobs: check-and-update: name: Check for Rust toolchain updates From 1a3a9ea176322185c3595b906cbb0fdb891635ad Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:03:19 +0000 Subject: [PATCH 13/22] Add explicit permissions block to test_node.yml --- .github/workflows/test_node.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test_node.yml b/.github/workflows/test_node.yml index a12e33433c..9d8eed5ae4 100644 --- a/.github/workflows/test_node.yml +++ b/.github/workflows/test_node.yml @@ -12,6 +12,10 @@ on: description: 'Matrix job result' value: ${{ jobs.test_node.result }} +permissions: + contents: write + pull-requests: write + jobs: type_check: name: Type Check From 2efc5b596ceac6d97769486b85da1b0b10e026cf Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:14:04 +0000 Subject: [PATCH 14/22] Revert permissions changes to build.yml --- .github/workflows/build.yml | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1dddf4ce67..f61325bf2e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,10 +5,6 @@ on: branches: - release/** -permissions: - contents: write - pull-requests: write - jobs: linux: strategy: @@ -35,7 +31,7 @@ jobs: image: messense/rust-musl-cross:${{ matrix.container }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Add Rustup Target run: | @@ -71,7 +67,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Add Rustup Target run: rustup target add ${{ matrix.target }} @@ -158,7 +154,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Install `rcodesign` run: | @@ -222,7 +218,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 # When rustup is updated, it tries to replace its binary, which on Windows is somehow locked. # This can result in the CI failure, see: https://github.com/rust-lang/rustup/issues/3029 @@ -254,9 +250,9 @@ jobs: needs: [linux, macos, macos_universal, windows] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 with: node-version: '20.10.0' @@ -287,7 +283,7 @@ jobs: name: python (base) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Add Rustup Target run: rustup target add x86_64-unknown-linux-musl - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 @@ -305,7 +301,7 @@ jobs: runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows, python-base] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 with: python-version: '3.11' @@ -331,8 +327,8 @@ jobs: runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows] steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 - - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 with: node-version: '20.10.0' - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0 @@ -383,7 +379,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # 3.12.0 From 635e0b5d394c12c6dd57315a8a227c8b678eb35d Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:14:06 +0000 Subject: [PATCH 15/22] Revert permissions changes to ci.yml --- .github/workflows/ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f90c648863..e72e8e06fc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,10 +18,6 @@ concurrency: env: RUSTFLAGS: -Dwarnings -permissions: - contents: write - pull-requests: write - jobs: lint: name: Lint From 1be85ab05a0698232e3e2271c9390bc2fd22b3eb Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:14:09 +0000 Subject: [PATCH 16/22] Revert permissions changes to codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a020aad6b3..08261f0003 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,10 +18,6 @@ on: schedule: - cron: '32 17 * * 4' -permissions: - contents: write - pull-requests: write - jobs: analyze: name: Analyze @@ -37,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From ccbcb2e5f1c6cde691e34ad275ffce2c49e359e3 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:14:12 +0000 Subject: [PATCH 17/22] Revert permissions changes to rust-toolchain-update.yml --- .github/workflows/rust-toolchain-update.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/rust-toolchain-update.yml b/.github/workflows/rust-toolchain-update.yml index ae07c09271..d1473ba3d2 100644 --- a/.github/workflows/rust-toolchain-update.yml +++ b/.github/workflows/rust-toolchain-update.yml @@ -5,10 +5,6 @@ on: # Run weekly on Mondays at 00:00 UTC - cron: '0 0 * * 1' -permissions: - contents: write - pull-requests: write - jobs: check-and-update: name: Check for Rust toolchain updates @@ -21,7 +17,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 with: token: ${{ secrets.GITHUB_TOKEN }} From 3b0731fc2b282c9fcd1a1ca45e4393bcc86d0dfd Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:14:14 +0000 Subject: [PATCH 18/22] Revert permissions changes to test_node.yml --- .github/workflows/test_node.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/test_node.yml b/.github/workflows/test_node.yml index 9d8eed5ae4..4f8d3dd107 100644 --- a/.github/workflows/test_node.yml +++ b/.github/workflows/test_node.yml @@ -12,19 +12,15 @@ on: description: 'Matrix job result' value: ${{ jobs.test_node.result }} -permissions: - contents: write - pull-requests: write - jobs: type_check: name: Type Check runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Use Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 with: node-version-file: package.json @@ -45,10 +41,10 @@ jobs: name: Prepare Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Use Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 with: node-version-file: package.json @@ -82,10 +78,10 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 # 6.1.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # 6.1.0 with: node-version: ${{ matrix.node-version }} From 8cdafc88171a18ae81b8e15e583d1df9db148e78 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:54:02 +0000 Subject: [PATCH 19/22] fix: clean up extraneous changes from migration script - Remove changelog-preview.yml as requested by reviewer - Restore original version comments (remove duplicate # vX # X.Y.Z) - Restore original formatting and runner in release.yml - Remove unnecessary permissions from GHCR workflows (keep only packages: write) --- .github/workflows/audit.yml | 2 +- .github/workflows/changelog-preview.yml | 17 -------- .github/workflows/lint.yml | 2 +- .github/workflows/release-ghcr-latest-tag.yml | 2 - .../workflows/release-ghcr-version-tag.yml | 2 - .github/workflows/release.yml | 40 +++++++++---------- .github/workflows/swift-test.yml | 2 +- .github/workflows/test.yml | 2 +- 8 files changed, 24 insertions(+), 45 deletions(-) delete mode 100644 .github/workflows/changelog-preview.yml diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index c130fbd702..eb62a17ec7 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Audit dependencies uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # 2.0.0 diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml deleted file mode 100644 index 5883c004c0..0000000000 --- a/.github/workflows/changelog-preview.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Changelog Preview -on: - pull_request: - types: - - opened - - synchronize - - reopened - - edited - - labeled -permissions: - contents: write - pull-requests: write - -jobs: - changelog-preview: - uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 - secrets: inherit diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8a4e47a0b0..c193ab76c0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Setup Rust Toolchain run: | diff --git a/.github/workflows/release-ghcr-latest-tag.yml b/.github/workflows/release-ghcr-latest-tag.yml index afe2f46afc..c976c3dfea 100644 --- a/.github/workflows/release-ghcr-latest-tag.yml +++ b/.github/workflows/release-ghcr-latest-tag.yml @@ -6,8 +6,6 @@ on: permissions: packages: write - contents: write - pull-requests: write jobs: release-ghcr-latest-tag: diff --git a/.github/workflows/release-ghcr-version-tag.yml b/.github/workflows/release-ghcr-version-tag.yml index 05c350399c..92b5ec8bd3 100644 --- a/.github/workflows/release-ghcr-version-tag.yml +++ b/.github/workflows/release-ghcr-version-tag.yml @@ -6,8 +6,6 @@ on: permissions: packages: write - contents: write - pull-requests: write jobs: release-ghcr-version-tag: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c8f81ad19d..711550dffc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,24 +17,24 @@ permissions: jobs: release: - runs-on: ubuntu-latest - name: Release a new version + runs-on: ubuntu-24.04 + name: 'Release a new version' steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - merge_target: ${{ inputs.merge_target }} + - name: Get auth token + id: token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + merge_target: ${{ inputs.merge_target }} diff --git a/.github/workflows/swift-test.yml b/.github/workflows/swift-test.yml index 000913b680..6721f2fe9d 100644 --- a/.github/workflows/swift-test.yml +++ b/.github/workflows/swift-test.yml @@ -13,7 +13,7 @@ jobs: runs-on: macos-15 steps: - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Run tests working-directory: apple-catalog-parsing/native/swift/AssetCatalogParser run: swift test diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7834c50f3b..2b44dfe1a8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # 6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: Setup Rust Toolchain run: | From a310324290b65764b9dafe4cbae77fee38b066c7 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 00:01:40 +0000 Subject: [PATCH 20/22] fix: revert extraneous changes to non-release workflow files --- .github/workflows/release-ghcr-latest-tag.yml | 3 --- .github/workflows/release-ghcr-version-tag.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/.github/workflows/release-ghcr-latest-tag.yml b/.github/workflows/release-ghcr-latest-tag.yml index c976c3dfea..fa15eee55b 100644 --- a/.github/workflows/release-ghcr-latest-tag.yml +++ b/.github/workflows/release-ghcr-latest-tag.yml @@ -4,9 +4,6 @@ on: release: types: [released] -permissions: - packages: write - jobs: release-ghcr-latest-tag: runs-on: ubuntu-24.04 diff --git a/.github/workflows/release-ghcr-version-tag.yml b/.github/workflows/release-ghcr-version-tag.yml index 92b5ec8bd3..c57f86135b 100644 --- a/.github/workflows/release-ghcr-version-tag.yml +++ b/.github/workflows/release-ghcr-version-tag.yml @@ -4,9 +4,6 @@ on: release: types: [prereleased, released] -permissions: - packages: write - jobs: release-ghcr-version-tag: runs-on: ubuntu-24.04 From eb1d97b804388bfd4891469616e814914418d5b0 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 11:13:56 +0000 Subject: [PATCH 21/22] fix: clean up release.yml formatting and version comments --- .github/workflows/release.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 711550dffc..fcb7dbab76 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,10 +6,10 @@ on: description: Version to release (or "auto") required: false force: - description: Force a release even when there are release-blockers + description: Force a release even when there are release-blockers (optional) required: false merge_target: - description: Target branch to merge into + description: Target branch to merge into. Uses the default branch as a fallback (optional) required: false permissions: contents: write @@ -26,7 +26,7 @@ jobs: with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 @@ -35,6 +35,6 @@ jobs: env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - merge_target: ${{ inputs.merge_target }} + version: ${{ github.event.inputs.version }} + force: ${{ github.event.inputs.force }} + merge_target: ${{ github.event.inputs.merge_target }} From 43ca36528bb3f5642483c1aa3875563c6a6cc347 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 13:16:01 +0000 Subject: [PATCH 22/22] build(craft): Update Craft action to c6e2f04 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fcb7dbab76..7864bdac85 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,7 +31,7 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 + uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: