Update 8hobbies/workflows digest to b912c36

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
8hobbies/workflows	action	digest	067ef9a → b912c36

---

Configuration

📅 Schedule: Branch creation - "on Sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

To fix this, explicitly declare least-privilege permissions for the workflow so that the GITHUB_TOKEN used by the lint job is limited. Since this workflow just invokes an npm lint reusable workflow and does not appear to need to write to the repository or other resources, we can safely set read-only permissions on repository contents (and optionally packages, which is also read-only by default). The best, minimal change is to add a permissions block at the workflow root level (between on: and jobs:), which will apply to all jobs that do not override it, including lint.

Concretely, in .github/workflows/lint.yml, insert:

permissions:
  contents: read
  packages: read

after the on: section and before jobs:. This does not alter the workflow’s behavior from a functional perspective (linting still runs as before) but ensures the token cannot perform unintended writes. No additional imports, methods, or other definitions are required; this is purely a YAML configuration change in the workflow file.

In general, the fix is to add an explicit permissions block that applies least-privilege GITHUB_TOKEN permissions to this workflow/job. Because this workflow only invokes a reusable workflow and is named “Publish Dry Run,” it likely only needs read access to repository contents; a dry run of npm publish should not require pushing commits, creating releases, or modifying issues/PRs. The safest minimal starting point is contents: read, and we can define this at the job level for the run job.

Concretely, in .github/workflows/publish-dry-run.yml, under jobs:, in the run: job, add a permissions: block before uses:. This keeps existing behavior (the job still calls the same reusable workflow) but ensures the GITHUB_TOKEN has read-only access to repository contents unless the reusable workflow explicitly requires more. No imports or extra methods are needed; this is a pure YAML configuration change.

To fix the problem, explicitly define a permissions block to scope the GITHUB_TOKEN to the least privileges needed. Since this file only orchestrates a reusable workflow and doesn’t show any operations requiring write access, the safest default is read-only repository contents (contents: read). If the reusable workflow needs more (e.g., contents: write, packages: read, etc.), those can be added later where truly required.

The best minimal fix without changing existing functionality is to add a root-level permissions block under the name field (or equivalently between on: and jobs:). This sets default permissions for all jobs in this workflow, including the test job that uses the reusable workflow, and satisfies CodeQL’s requirement. Concretely, in .github/workflows/runtime.yml, insert:

permissions:
  contents: read

right after the name: Runtime line. No imports or other definitions are needed; this is pure GitHub Actions YAML configuration.