diff --git a/.github/config/markdown-lint-config.yml b/.github/config/markdownlint.yml similarity index 100% rename from .github/config/markdown-lint-config.yml rename to .github/config/markdownlint.yml diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 72d59369a..99c461916 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -99,5 +99,17 @@ "matchUpdateTypes": ["major"], "enabled": false, } + ], + "customManagers": [ + { + "customType": "regex", + "datasourceTemplate": "npm", + "fileMatch": [ + "^.github/workflows/" + ], + "matchStrings": [ + "npx (?[^@]+)@(?[^\\s]+)" + ] + } ] } diff --git a/.github/workflows/assign-reviewers.yml b/.github/workflows/assign-reviewers.yml index d1d6ef664..f7e867962 100644 --- a/.github/workflows/assign-reviewers.yml +++ b/.github/workflows/assign-reviewers.yml @@ -8,8 +8,14 @@ on: # because repository write permission is needed to assign reviewers pull_request_target: +permissions: + contents: read + jobs: assign-reviewers: + permissions: + contents: read + pull-requests: write # for assigning reviewers runs-on: ubuntu-latest steps: - uses: open-telemetry/assign-reviewers-action@b101a9c17274e3d4fff0853898007e9e3a366675 # main diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e407b01a7..3cda0feb5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,6 +8,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true diff --git a/.github/workflows/issue-management-feedback-label.yml b/.github/workflows/issue-management-feedback-label.yml index 9c09feaba..35fa82926 100644 --- a/.github/workflows/issue-management-feedback-label.yml +++ b/.github/workflows/issue-management-feedback-label.yml @@ -1,11 +1,17 @@ -name: Issue management - remove needs feedback label +name: Issue management - remove labels as needed on: issue_comment: types: [created] +permissions: + contents: read + jobs: issue_comment: + permissions: + contents: read + issues: write if: > contains(github.event.issue.labels.*.name, 'needs author feedback') && github.event.comment.user.login == github.event.issue.user.login @@ -13,9 +19,10 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Remove label + - name: Remove labels env: ISSUE_NUMBER: ${{ github.event.issue.number }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gh issue edit --remove-label "needs author feedback" $ISSUE_NUMBER + gh issue edit --remove-label "stale" $ISSUE_NUMBER diff --git a/.github/workflows/issue-management-stale-action.yml b/.github/workflows/issue-management-stale-action.yml index cc968577a..483df9b15 100644 --- a/.github/workflows/issue-management-stale-action.yml +++ b/.github/workflows/issue-management-stale-action.yml @@ -11,6 +11,7 @@ permissions: jobs: stale: permissions: + contents: read issues: write # for actions/stale to close stale issues pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest @@ -21,11 +22,15 @@ jobs: days-before-stale: 7 days-before-close: 7 only-labels: "needs author feedback" + stale-issue-label: stale stale-issue-message: > This has been automatically marked as stale because it has been marked as needing author feedback and has not had any activity for 7 days. - It will be closed if no further activity occurs within 7 days of this comment. + It will be closed automatically if there is no response from the author + within 7 additional days from this comment. + stale-pr-label: stale stale-pr-message: > This has been automatically marked as stale because it has been marked as needing author feedback and has not had any activity for 7 days. - It will be closed if no further activity occurs within 7 days of this comment. + It will be closed automatically if there is no response from the author + within 7 additional days from this comment. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 49991d63a..2caaaaba4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,9 @@ name: Release on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -50,6 +53,8 @@ jobs: path: jmx-metrics/build/reports/tests/integrationTest release: + permissions: + contents: write # for creating the release runs-on: ubuntu-latest needs: - build @@ -186,6 +191,8 @@ jobs: echo "version=$VERSION" >> $GITHUB_OUTPUT merge-change-log-to-main: + permissions: + contents: write # for git push to PR branch runs-on: ubuntu-latest needs: - release diff --git a/.github/workflows/reusable-markdown-link-check.yml b/.github/workflows/reusable-markdown-link-check.yml index 8c57be5df..6240250a9 100644 --- a/.github/workflows/reusable-markdown-link-check.yml +++ b/.github/workflows/reusable-markdown-link-check.yml @@ -3,6 +3,9 @@ name: Reusable - Markdown link check on: workflow_call: +permissions: + contents: read + jobs: markdown-link-check: runs-on: ubuntu-latest diff --git a/.github/workflows/reusable-markdown-lint.yml b/.github/workflows/reusable-markdown-lint.yml index cbb1623d0..c67921f6b 100644 --- a/.github/workflows/reusable-markdown-lint.yml +++ b/.github/workflows/reusable-markdown-lint.yml @@ -12,9 +12,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Install markdownlint - run: npm install -g markdownlint-cli - - name: Run markdownlint run: | - markdownlint -c .github/config/markdown-lint-config.yml **/*.md + npx markdownlint-cli@0.43.0 -c .github/config/markdownlint.yml **/*.md