chore(deps): bump the github-actions-dependencies group across 1 directory with 2 updates

.github/workflows/__greetings.yml

@@ -13,4 +13,4 @@ permissions:
 
 jobs:
   greetings:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0

.github/workflows/__main-ci.yml

@@ -10,17 +10,7 @@ on:
   schedule:
     - cron: "25 8 * * 1"
 
-permissions:
-  actions: write
-  contents: write
-  issues: read
-  packages: write
-  pages: write
-  pull-requests: write
-  security-events: write
-  statuses: write
-  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-  id-token: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,14 +19,39 @@ concurrency:
 jobs:
   ci:
     uses: ./.github/workflows/__shared-ci.yml
+    # jscpd:ignore-start
+    permissions:
+      actions: read
+      contents: read
+      packages: write
+      pull-requests: read
+      id-token: write
+      issues: read
+      security-events: write
+      statuses: write
+    # jscpd:ignore-end
     secrets: inherit
 
   release:
     needs: ci
     if: github.event_name != 'schedule'
-    uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@b5b9f9278423f286fa2e14ca86f932475493828a # 0.12.1
+    uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@0717eb404857b7e4a15dc0db5fbece52921e85fb # 0.13.1
+    permissions:
+      contents: read
     with:
       update-all: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }}
       github-app-id: ${{ vars.CI_BOT_APP_ID }}
     secrets:
       github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
+
+  sync-docs:
+    needs: release
+    if: github.event_name != 'schedule' && github.ref_name == github.event.repository.default_branch && needs.release.outputs.artifact-id
+    uses: hoverkraft-tech/public-docs/.github/workflows/sync-docs-dispatcher.yml@c40c17f7d6a8090950b3ef4bfc70502707a6bb9f # 0.3.0
+    permissions:
+      contents: read
+    with:
+      artifact-id: ${{ needs.release.outputs.artifact-id }}
+      github-app-id: ${{ vars.CI_BOT_APP_ID }}
+    secrets:
+      github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}

.github/workflows/__need-fix-to-issue.yml

@@ -24,7 +24,7 @@ concurrency:
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
     with:
       manual-commit-ref: ${{ inputs.manual-commit-ref }}
       manual-base-ref: ${{ inputs.manual-base-ref }}

.github/workflows/__pull-request-ci.yml

@@ -5,16 +5,7 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  actions: read
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  security-events: write
-  statuses: write
-  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-  id-token: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -23,4 +14,13 @@ concurrency:
 jobs:
   ci:
     uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: write
+      pull-requests: read
+      id-token: write
+      issues: read
+      security-events: write
+      statuses: write
     secrets: inherit

.github/workflows/__shared-ci.yml

@@ -3,43 +3,54 @@ name: Internal - Common Continuous Integration tasks
 on:
   workflow_call:
 
-permissions:
-  actions: read
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  security-events: write
-  statuses: write
-  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-  id-token: write
+permissions: {}
 
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
+    permissions:
+      contents: read
+      statuses: write
+      actions: read
+      security-events: write
 
   test-action-dependencies-cache:
     name: Test action "dependencies-cache"
     needs: linter
     uses: ./.github/workflows/__test-action-dependencies-cache.yml
+    permissions:
+      contents: read
 
   test-action-get-package-manager:
     name: Test action "get-package-manager"
     needs: linter
     uses: ./.github/workflows/__test-action-get-package-manager.yml
+    permissions:
+      contents: read
 
   test-action-has-installed-dependencies:
     name: Test action "has-installed-dependencies"
     needs: linter
     uses: ./.github/workflows/__test-action-has-installed-dependencies.yml
+    permissions:
+      contents: read
 
   test-action-setup-node:
     name: Test action "setup-node"
     needs: linter
     uses: ./.github/workflows/__test-action-setup-node.yml
+    permissions:
+      contents: read
 
   test-workflow-continuous-integration:
     name: Test workflow "continuous-integration"
     needs: linter
     uses: ./.github/workflows/__test-workflow-continuous-integration.yml
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: read
+      id-token: write
+      issues: read
+      security-events: write
     secrets: inherit

.github/workflows/__stale.yml

@@ -10,4 +10,4 @@ permissions:
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0

.github/workflows/__test-action-dependencies-cache.yml

@@ -3,13 +3,14 @@ name: Internal - Tests for "dependencies-cache" action
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
     name: Test "dependencies-cache" (${{ matrix.working-directory }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:

.github/workflows/__test-action-get-package-manager.yml

@@ -3,13 +3,14 @@ name: Internal - Tests for "get-package-manager" action
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
     name: Test "get-package-manager" (${{ matrix.working-directory }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:

.github/workflows/__test-action-has-installed-dependencies.yml

@@ -3,13 +3,14 @@ name: Internal - Tests for "has-installed-dependencies" action
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
     name: Test "has-installed-dependencies" (${{ matrix.working-directory }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:

.github/workflows/__test-action-setup-node.yml

@@ -3,13 +3,14 @@ name: Internal - Tests for "setup-node" action
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
     name: Test "setup-node" (${{ matrix.working-directory }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:

.github/workflows/__test-workflow-continuous-integration.yml

@@ -3,16 +3,17 @@ name: Internal - Test Continuous integration workflow
 on:
   workflow_call:
 
-permissions:
-  contents: read
-  security-events: write
-  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-  id-token: write
+permissions: {}
 
 jobs:
   act-without-container:
     name: Act - Run the continuous integration workflow (without container)
     uses: ./.github/workflows/continuous-integration.yml
+    permissions:
+      contents: read
+      security-events: write
+      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+      id-token: write
     with:
       working-directory: tests/npm
       build: |
@@ -60,6 +61,11 @@ jobs:
     name: Act - Run the continuous integration workflow (with container)
     uses: ./.github/workflows/continuous-integration.yml
     needs: arrange-with-container
+    permissions:
+      contents: read
+      security-events: write
+      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+      id-token: write
     with:
       container: ${{ fromJSON(needs.arrange-with-container.outputs.built-images).ci-npm.images[0] }}
       working-directory: /usr/src/app/

.github/workflows/continuous-integration.yml

@@ -97,11 +97,7 @@ on:
           ```
         required: false
 
-permissions:
-  contents: read
-  security-events: write
-  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-  id-token: write
+permissions: {}
 
 jobs:
   code-ql:
@@ -111,7 +107,7 @@ jobs:
       security-events: write
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
       - uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           languages: ${{ inputs.code-ql }}
@@ -124,7 +120,7 @@ jobs:
       contents: read
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
       - uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1
 
   setup:
@@ -134,17 +130,17 @@ jobs:
       image: ${{ inputs.container != '' && inputs.container || null }}
       # Root user is required to use GitHub Actions features inside the container
       options: --user root:root
-    # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
     permissions:
       contents: read
+      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       id-token: write
     outputs:
       build-env: ${{ steps.build-variables.outputs.env }}
       build-commands: ${{ steps.build-variables.outputs.commands }}
       build-artifact: ${{ steps.build-variables.outputs.artifact }}
     steps:
       - if: inputs.container == ''
-        uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+        uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
 
       - id: build-variables
         if: inputs.build != ''
@@ -258,12 +254,12 @@ jobs:
       options: --user root:root
     needs: setup
     # jscpd:ignore-start
-    # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
     permissions:
       contents: read
+      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       id-token: write
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
         if: inputs.container == ''
 
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
@@ -310,11 +306,11 @@ jobs:
       options: --user root:root
     needs: setup
     permissions:
-      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       contents: read
+      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       id-token: write
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
         if: needs.setup.outputs.build-commands && inputs.container == ''
 
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
@@ -416,12 +412,12 @@ jobs:
     needs:
       - setup
       - build
-    # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
     permissions:
       contents: read
+      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       id-token: write
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
         if: inputs.container == ''
 
       - if: needs.setup.outputs.build-artifact && inputs.container == ''