From b25035eca0ef98ccf5e0ff8468f910afc79f253c Mon Sep 17 00:00:00 2001
From: Ofek Weiss <ofek1weiss@gmail.com>
Date: Mon, 27 Apr 2026 15:20:54 +0300
Subject: [PATCH] actions followups

---
 .github/workflows/close_pylon_issue.yml | 10 ++++++----
 .github/workflows/release.yml           |  2 +-
 .github/workflows/test-release.yml      | 13 +++++++++----
 .github/workflows/test-warehouse.yml    | 10 +++++-----
 .github/workflows/triage-labels.yml     |  5 +++--
 5 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/close_pylon_issue.yml b/.github/workflows/close_pylon_issue.yml
index a8a9de680..e3bf1e7f1 100644
--- a/.github/workflows/close_pylon_issue.yml
+++ b/.github/workflows/close_pylon_issue.yml
@@ -23,12 +23,14 @@ jobs:
 
       - name: Close Pylon Ticket
         if: steps.extract_ticket_id.outputs.pylon_ticket_id != ''
+        env:
+          PYLON_TICKET_ID: ${{ steps.extract_ticket_id.outputs.pylon_ticket_id }}
+          PYLON_API_KEY: ${{ secrets.PYLON_API_KEY }}
         run: |
-          pylon_ticket_id=${{ steps.extract_ticket_id.outputs.pylon_ticket_id }}
-          echo "Closing Pylon Ticket ID: $pylon_ticket_id"
+          echo "Closing Pylon Ticket ID: $PYLON_TICKET_ID"
           curl --request PATCH \
-            --url "https://api.usepylon.com/issues/$pylon_ticket_id" \
-            --header "Authorization: ${{ secrets.PYLON_API_KEY }}" \
+            --url "https://api.usepylon.com/issues/$PYLON_TICKET_ID" \
+            --header "Authorization: $PYLON_API_KEY" \
             --header 'Content-Type: application/json' \
             --data '{
               "state": "closed"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b94822eb0..bab5131fa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ on:
         type: string
   push:
     tags:
-      - v[0-9].[0-9]+.[0-9]+
+      - v[0-9]+.[0-9]+.[0-9]+
 
 env:
   REGISTRY: ghcr.io
diff --git a/.github/workflows/test-release.yml b/.github/workflows/test-release.yml
index f0c11afe9..41ca192ec 100644
--- a/.github/workflows/test-release.yml
+++ b/.github/workflows/test-release.yml
@@ -30,10 +30,13 @@ jobs:
 
       - name: Bump tag version
         id: bump-tag
+        env:
+          PY_TAG: ${{ steps.get-tag.outputs.py }}
+          DBT_TAG: ${{ steps.get-tag.outputs.dbt }}
         run: |
-          echo "py-bumped=$(echo ${{ steps.get-tag.outputs.py }} | awk -F. '/[0-9]+\./{$NF++;print}' OFS=.)" >> $GITHUB_OUTPUT
-          echo "py-bumped-number=$(echo ${{ steps.get-tag.outputs.py }} | awk -F. '/[0-9]+\./{$NF++;print}' OFS=. | cut -c 2-)" >> $GITHUB_OUTPUT
-          echo "dbt-bumped=$(echo ${{ steps.get-tag.outputs.dbt }} | awk -F. '/[0-9]+\./{$NF++;print}' OFS=.)" >> $GITHUB_OUTPUT
+          echo "py-bumped=$(echo "$PY_TAG" | awk -F. '/[0-9]+\./{$NF++;print}' OFS=.)" >> "$GITHUB_OUTPUT"
+          echo "py-bumped-number=$(echo "$PY_TAG" | awk -F. '/[0-9]+\./{$NF++;print}' OFS=. | cut -c 2-)" >> "$GITHUB_OUTPUT"
+          echo "dbt-bumped=$(echo "$DBT_TAG" | awk -F. '/[0-9]+\./{$NF++;print}' OFS=.)" >> "$GITHUB_OUTPUT"
 
       - name: Confirm release tag
         run: |
@@ -74,8 +77,10 @@ jobs:
       contents: read
     steps:
       - name: recommend unbreaking change upgrade
+        env:
+          PY_BUMPED_NUMBER: ${{ needs.get-latest-release-tags.outputs.py-bumped-number }}
         run: |
-          echo "Everything ran successfully, you can bump version to ${{ needs.get-latest-release-tags.outputs.py-bumped-number }}"
+          echo "Everything ran successfully, you can bump version to $PY_BUMPED_NUMBER"
       - name: recommend breaking change upgrade
         if: ${{ failure() }}
         uses: actions/github-script@v8
diff --git a/.github/workflows/test-warehouse.yml b/.github/workflows/test-warehouse.yml
index 26158e9f3..b2eb2f0b7 100644
--- a/.github/workflows/test-warehouse.yml
+++ b/.github/workflows/test-warehouse.yml
@@ -446,13 +446,13 @@ jobs:
           SLACK_TOKEN: ${{ secrets.CI_SLACK_TOKEN }}
         run: >
           edr monitor send-report
-          -t "${{ inputs.warehouse-type }}"
-          --project-dir "${{ env.E2E_DBT_PROJECT_DIR }}"
-          --project-profile-target "${{ inputs.warehouse-type }}"
-          --slack-file-name "report_${{ inputs.warehouse-type }}_${{ env.BRANCH_NAME }}.html"
+          -t "$WAREHOUSE_TYPE"
+          --project-dir "$E2E_DBT_PROJECT_DIR"
+          --project-profile-target "$WAREHOUSE_TYPE"
+          --slack-file-name "report_${WAREHOUSE_TYPE}_${BRANCH_NAME}.html"
           --slack-token "$SLACK_TOKEN"
           --slack-channel-name oss-ci-tests
-          --bucket-file-path "ci_reports/report_${{ inputs.warehouse-type }}_${{ env.BRANCH_NAME }}.html"
+          --bucket-file-path "ci_reports/report_${WAREHOUSE_TYPE}_${BRANCH_NAME}.html"
           --s3-bucket-name elementary-ci-artifacts
           --update-bucket-website true
 
diff --git a/.github/workflows/triage-labels.yml b/.github/workflows/triage-labels.yml
index 52538ad2f..8245021fb 100644
--- a/.github/workflows/triage-labels.yml
+++ b/.github/workflows/triage-labels.yml
@@ -1,13 +1,14 @@
 name: Update Triage Label
 on: issue_comment
 
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   triage_label:
     if: contains(github.event.issue.labels.*.name, 'Awaiting Response')
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Update label
         # actions/github-script v8, checked 2026-04-26.