From 0224522293c8df27af5992621dafed04b83c9245 Mon Sep 17 00:00:00 2001 From: Bryce Boe Date: Mon, 15 Jun 2026 10:14:50 -0700 Subject: [PATCH 1/3] Scope GITHUB_TOKEN permissions to jobs in stale_action and tag_release --- .github/workflows/stale_action.yml | 7 ++++--- .github/workflows/tag_release.yml | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/stale_action.yml b/.github/workflows/stale_action.yml index 944df2c..8b75693 100644 --- a/.github/workflows/stale_action.yml +++ b/.github/workflows/stale_action.yml @@ -1,12 +1,13 @@ jobs: stale_action: name: Close stale issues and PRs + permissions: + issues: write # required to comment on and close stale issues + pull-requests: write # required to comment on and close stale PRs uses: praw-dev/.github/.github/workflows/stale_action.yml@9ff8957d0cab4cf8c9d7cb5592aedb3d456cc058 # v1.4.0 name: Close stale issues and PRs on: schedule: - cron: 0 */6 * * * workflow_dispatch: -permissions: - issues: write - pull-requests: write +permissions: {} diff --git a/.github/workflows/tag_release.yml b/.github/workflows/tag_release.yml index ca406a9..71b0dd7 100644 --- a/.github/workflows/tag_release.yml +++ b/.github/workflows/tag_release.yml @@ -2,9 +2,10 @@ name: Tag Release on: push: branches: [main] -permissions: - contents: write +permissions: {} jobs: tag_release: name: Tag Release + permissions: + contents: write # required to push the release tag uses: praw-dev/.github/.github/workflows/tag_release.yml@9ff8957d0cab4cf8c9d7cb5592aedb3d456cc058 # v1.4.0 From 20ab96a4d0b4aac7a830b1c13ffce7626f737ad6 Mon Sep 17 00:00:00 2001 From: Bryce Boe Date: Mon, 15 Jun 2026 10:14:51 -0700 Subject: [PATCH 2/3] Add reusable workflow linting (zizmor + actionlint) --- .github/workflows/lint.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..0c77806 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,15 @@ +concurrency: + group: lint-${{ github.ref }} + cancel-in-progress: true +jobs: + lint: + name: Lint workflows + permissions: + contents: read # required to check out the repository + uses: praw-dev/.github/.github/workflows/lint.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 +name: Lint workflows +on: + pull_request: + push: + branches: ["main"] +permissions: {} From 4c9e0c90a50cc2bc84cb51e99a5653ef02891c33 Mon Sep 17 00:00:00 2001 From: Bryce Boe Date: Mon, 15 Jun 2026 10:25:04 -0700 Subject: [PATCH 3/3] Bump praw-dev/.github reusable workflow pins to v1.5.0 --- .github/workflows/ci.yml | 2 +- .github/workflows/pre-commit_autoupdate.yml | 2 +- .github/workflows/prepare_release.yml | 2 +- .github/workflows/stale_action.yml | 2 +- .github/workflows/tag_release.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4931eea..a31319f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,7 +4,7 @@ concurrency: jobs: ci: name: CI - uses: praw-dev/.github/.github/workflows/ci.yml@9ff8957d0cab4cf8c9d7cb5592aedb3d456cc058 # v1.4.0 + uses: praw-dev/.github/.github/workflows/ci.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 with: min_python: "3.10" python_versions: '["3.10", "3.11", "3.12", "3.13", "3.14"]' diff --git a/.github/workflows/pre-commit_autoupdate.yml b/.github/workflows/pre-commit_autoupdate.yml index 8ecd1df..6d4b279 100644 --- a/.github/workflows/pre-commit_autoupdate.yml +++ b/.github/workflows/pre-commit_autoupdate.yml @@ -4,7 +4,7 @@ jobs: secrets: APP_ID: ${{ secrets.APP_ID }} APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} - uses: praw-dev/.github/.github/workflows/pre-commit_autoupdate.yml@9ff8957d0cab4cf8c9d7cb5592aedb3d456cc058 # v1.4.0 + uses: praw-dev/.github/.github/workflows/pre-commit_autoupdate.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 name: Update pre-commit hooks on: schedule: diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml index b9f0db9..d1d3603 100644 --- a/.github/workflows/prepare_release.yml +++ b/.github/workflows/prepare_release.yml @@ -13,7 +13,7 @@ jobs: secrets: APP_ID: ${{ secrets.APP_ID }} APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} - uses: praw-dev/.github/.github/workflows/prepare_release.yml@9ff8957d0cab4cf8c9d7cb5592aedb3d456cc058 # v1.4.0 + uses: praw-dev/.github/.github/workflows/prepare_release.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 with: package: codesorter version: ${{ inputs.version }} diff --git a/.github/workflows/stale_action.yml b/.github/workflows/stale_action.yml index 8b75693..fc7987c 100644 --- a/.github/workflows/stale_action.yml +++ b/.github/workflows/stale_action.yml @@ -4,7 +4,7 @@ jobs: permissions: issues: write # required to comment on and close stale issues pull-requests: write # required to comment on and close stale PRs - uses: praw-dev/.github/.github/workflows/stale_action.yml@9ff8957d0cab4cf8c9d7cb5592aedb3d456cc058 # v1.4.0 + uses: praw-dev/.github/.github/workflows/stale_action.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 name: Close stale issues and PRs on: schedule: diff --git a/.github/workflows/tag_release.yml b/.github/workflows/tag_release.yml index 71b0dd7..b9b283e 100644 --- a/.github/workflows/tag_release.yml +++ b/.github/workflows/tag_release.yml @@ -8,4 +8,4 @@ jobs: name: Tag Release permissions: contents: write # required to push the release tag - uses: praw-dev/.github/.github/workflows/tag_release.yml@9ff8957d0cab4cf8c9d7cb5592aedb3d456cc058 # v1.4.0 + uses: praw-dev/.github/.github/workflows/tag_release.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0