From ff217cbecb62d7bce4217db11ea4f3d1f2cadbe9 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 12:48:55 +0200 Subject: [PATCH 1/5] chore: add workflow permissions Signed-off-by: Jan Kowalleck --- .github/workflows/nodejs.yml | 2 ++ .github/workflows/release.yml | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index ec653098d..bc357156b 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -17,6 +17,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + env: NODE_ACTIVE_LTS: "22" # see https://nodejs.org/en/about/releases/ REPORTS_DIR: "CI_reports" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 52516ac43..5509494c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ on: default: false required: false -permissions: write-all +permissions: {} env: REPORTS_DIR: CI_reports @@ -85,6 +85,8 @@ jobs: name: publish package runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + id-token: write # Enables provenance signing via OIDC env: PACKAGE_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }} steps: @@ -161,6 +163,8 @@ jobs: name: publish GitHub runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: write # create a release env: ASSETS_DIR: release_assets steps: From 6a4e74189078434f0b55ec29adac288a0af7108d Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 12:58:30 +0200 Subject: [PATCH 2/5] chore: add workflow permissions Signed-off-by: Jan Kowalleck --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5509494c1..ffe76f123 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,6 +45,8 @@ jobs: version_plain: ${{ steps.bump.outputs.version_plain }} runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: write # needed for git push steps: - name: Checkout code # see https://github.com/actions/checkout From 8687799225b8fb6892c093f99eb87258fcf0b912 Mon Sep 17 00:00:00 2001 From: jkowalleck Date: Mon, 26 May 2025 11:00:24 +0000 Subject: [PATCH 3/5] 8.0.1-alpha.0 Signed-off-by: jkowalleck --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 2ff564d15..1aa76ea6c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@cyclonedx/cyclonedx-library", - "version": "8.0.0", + "version": "8.0.1-alpha.0", "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).", "license": "Apache-2.0", "keywords": [ From 0e3b8f760f69c374aefe7610b68c1495ac9dd513 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 13:03:40 +0200 Subject: [PATCH 4/5] chore: add workflow permissions Signed-off-by: Jan Kowalleck --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ffe76f123..d8fdfadb7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -89,6 +89,7 @@ jobs: timeout-minutes: 30 permissions: id-token: write # Enables provenance signing via OIDC + packages: write # Allows writing to organization packages env: PACKAGE_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }} steps: From 4f965201c9fc3e55cc2abbcc6d47592a9e7330a0 Mon Sep 17 00:00:00 2001 From: jkowalleck Date: Mon, 26 May 2025 11:09:24 +0000 Subject: [PATCH 5/5] 8.0.1-alpha.1 Signed-off-by: jkowalleck --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 1aa76ea6c..2e553824f 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@cyclonedx/cyclonedx-library", - "version": "8.0.1-alpha.0", + "version": "8.0.1-alpha.1", "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).", "license": "Apache-2.0", "keywords": [