From 77c4065d1271beae0b771e13e54aa1dce26c44ee Mon Sep 17 00:00:00 2001
From: Joonas Hiltunen <joonas.hiltunen@vincit.fi>
Date: Tue, 9 Dec 2025 14:46:50 +0200
Subject: [PATCH] Add permissions for workflows and update 3rd party actions

---
 .github/workflows/cd.yml                       | 7 +++++--
 .github/workflows/check-renovatebot-config.yml | 5 ++++-
 .github/workflows/run-kotlin-tests.yml         | 5 ++++-
 .github/workflows/test-docker-compose.yml      | 5 ++++-
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 6807bf2..0c879a4 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -4,10 +4,13 @@ on:
   push:
     branches:
       - main
-      - "releases/**"
+      - releases/**
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run_kotlin_tests:
     name: Run kotlin tests
@@ -20,7 +23,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v6
     with:
       docker_image_name: jore4-timetables-api
       build_arm64_image: true
diff --git a/.github/workflows/check-renovatebot-config.yml b/.github/workflows/check-renovatebot-config.yml
index 26dc1a2..3f7e971 100644
--- a/.github/workflows/check-renovatebot-config.yml
+++ b/.github/workflows/check-renovatebot-config.yml
@@ -3,10 +3,13 @@ name: Check renovatebot config
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate renovatebot config
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v2
     with:
       config_file_path: .github/renovate.json5
       checkout_submodules: recursive
diff --git a/.github/workflows/run-kotlin-tests.yml b/.github/workflows/run-kotlin-tests.yml
index f95a3bb..3110f51 100644
--- a/.github/workflows/run-kotlin-tests.yml
+++ b/.github/workflows/run-kotlin-tests.yml
@@ -4,6 +4,9 @@ on:
   # this workflow is only called by others, won't be executed on itself
   workflow_call:
 
+permissions:
+  contents: read
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -14,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           submodules: recursive
 
diff --git a/.github/workflows/test-docker-compose.yml b/.github/workflows/test-docker-compose.yml
index ff85fc7..6cce727 100644
--- a/.github/workflows/test-docker-compose.yml
+++ b/.github/workflows/test-docker-compose.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [main, releases/**]
 
+permissions:
+  contents: read
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -15,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           submodules: recursive