chore(deps): bump the github-actions-dependencies group with 9 updates

.devcontainer/devcontainer.json

@@ -2,7 +2,8 @@
   "name": "Node.js & TypeScript",
   "image": "mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm",
   "features": {
-    "ghcr.io/devcontainers/features/docker-in-docker:2": {}
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/devcontainers/features/node:1": {}
   },
   "forwardPorts": [3000],
   "customizations": {

.github/workflows/__shared-ci.yml

@@ -2,18 +2,24 @@ name: Common Continuous Integration tasks
 
 on:
   workflow_call:
+    outputs:
+      build-artifact-id:
+        description: "The artifact ID of the build output"
+        value: ${{ jobs.nodejs.outputs.build-artifact-id }}
+      package-tarball-artifact-id:
+        description: "The artifact ID of the uploaded package tarball"
+        value: ${{ jobs.package-theme.outputs.package-tarball-artifact-id }}
 
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-  statuses: write
-  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-  id-token: write
+permissions: {}
 
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      statuses: write
     with:
       linter-env: |
         FILTER_REGEX_EXCLUDE=packages/theme/lib/**/*,packages/docs/build/**/*
@@ -23,7 +29,13 @@ jobs:
         VALIDATE_CSS=false
 
   nodejs:
-    uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@23af54bc615d657aa9c13c472ae701445c1811a6 # 0.17.1
+    uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@e96599d869b66887c4c9dc18dd40b59249ad9cd0 # 0.20.2
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
+      pull-requests: write
+      security-events: write
     with:
       build: |
         {
@@ -34,14 +46,22 @@ jobs:
     name: Package and verify Docusaurus theme
     needs: [linter, nodejs]
     runs-on: ubuntu-latest
+    outputs:
+      package-tarball-artifact-id: ${{ steps.upload-package-tarball.outputs.artifact-id }}
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+
       - name: Setup Node.js
-        uses: hoverkraft-tech/ci-github-nodejs/actions/setup-node@23af54bc615d657aa9c13c472ae701445c1811a6 # 0.17.1
+        uses: hoverkraft-tech/ci-github-nodejs/actions/setup-node@e96599d869b66887c4c9dc18dd40b59249ad9cd0 # 0.20.2
+
       - name: Download build artifacts
         uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
-          name: build
+          artifact-ids: ${{ needs.nodejs.outputs.build-artifact-id }}
           path: /
 
       - name: Create package tarball
@@ -63,6 +83,7 @@ jobs:
           npm run build
 
       - name: Upload package tarball
+        id: upload-package-tarball
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: package-tarball

.github/workflows/greetings.yml

@@ -6,11 +6,12 @@ on:
   pull_request_target:
     branches: [main]
 
-permissions:
-  contents: read
-  issues: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   greetings:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write

.github/workflows/main-ci.yml

@@ -5,13 +5,7 @@ on:
     branches: [main]
     tags: ["*"]
 
-permissions:
-  actions: read
-  contents: read
-  id-token: write
-  pages: write
-  security-events: write
-  statuses: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -24,10 +18,11 @@ jobs:
     permissions:
       actions: read
       contents: read
+      packages: read
+      pull-requests: write
+      id-token: write
       security-events: write
       statuses: write
-      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-      id-token: write
 
   npm-publish:
     needs: ci
@@ -37,14 +32,14 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Setup Node.js
-        uses: hoverkraft-tech/ci-github-nodejs/actions/setup-node@23af54bc615d657aa9c13c472ae701445c1811a6 # 0.17.1
+        uses: hoverkraft-tech/ci-github-nodejs/actions/setup-node@e96599d869b66887c4c9dc18dd40b59249ad9cd0 # 0.20.2
 
       - name: Download package tarball
         uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
-          name: package-tarball
+          artifact-ids: ${{ needs.ci.outputs.package-tarball-artifact-id }}
           path: .
       - name: Publish CLI to npm
         run: |
@@ -72,7 +67,7 @@ jobs:
       page-url: ${{ steps.deployment.outputs.url }}
     steps:
       - id: deployment
-        uses: hoverkraft-tech/ci-github-publish/actions/deploy/github-pages@38963f37ef5be0b6ae84147f542d96d9eb02802b # 0.14.0
+        uses: hoverkraft-tech/ci-github-publish/actions/deploy/github-pages@667d05650cefbf57afe043737ba5948601d76ec8 # 0.15.1
         with:
           build-path: packages/docs/build
-          build-artifact-name: build
+          build-artifact-id: ${{ needs.ci.outputs.build-artifact-id }}

.github/workflows/need-fix-to-issue.yml

@@ -15,17 +15,14 @@ on:
           before it; to go back further, enter an earlier SHA here"
         required: false
 
-permissions:
-  contents: read
-  issues: write
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2
+    permissions:
+      contents: read
+      issues: write
     with:
       manual-commit-ref: ${{ inputs.manual-commit-ref }}
       manual-base-ref: ${{ inputs.manual-base-ref }}

.github/workflows/pull-request-ci.yml

@@ -5,13 +5,7 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-  statuses: write
-  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-  id-token: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -20,4 +14,12 @@ concurrency:
 jobs:
   ci:
     uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      pull-requests: write
+      id-token: write
+      security-events: write
+      statuses: write
     secrets: inherit

.github/workflows/semantic-pull-request.yml

@@ -7,10 +7,11 @@ on:
       - edited
       - synchronize
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2
+    permissions:
+      contents: write
+      pull-requests: write

.github/workflows/stale.yml

@@ -4,10 +4,11 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2
+    permissions:
+      issues: write
+      pull-requests: write

Makefile

@@ -31,6 +31,7 @@ test: ## Run tests
 ci: ## Run tests in CI mode
 	$(MAKE) prepare
 	$(MAKE) lint-fix
+	npm audit fix
 	$(MAKE) build
 	$(MAKE) test