From 92cfb3cc54b2d6a951e73e64f1cff54c4cb08804 Mon Sep 17 00:00:00 2001
From: Jimisola Laursen <jimisola@jimisola.com>
Date: Tue, 12 May 2026 11:20:35 +0200
Subject: [PATCH 1/3] refactor(ci): update centralized workflow references to
 flattened paths

reqstool/.github no longer uses subdirectories for reusable workflows
(GitHub Actions limitation). Update all uses: references from
subdirectory paths (e.g. typescript/lint.yml) to prefixed top-level
names (e.g. typescript-lint.yml).

Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
---
 .github/workflows/build.yml              | 4 ++--
 .github/workflows/publish_vscode_ext.yml | 6 +++---
 .github/workflows/release-preview.yml    | 2 +-
 .github/workflows/release.yml            | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 755d8f3..c65c3ab 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -28,11 +28,11 @@ on:
 
 jobs:
   lint:
-    uses: reqstool/.github/.github/workflows/typescript/lint.yml@main
+    uses: reqstool/.github/.github/workflows/typescript-lint.yml@main
 
   build:
     needs: lint
-    uses: reqstool/.github/.github/workflows/typescript/build.yml@main
+    uses: reqstool/.github/.github/workflows/typescript-build.yml@main
     with:
       use-xvfb: true
       dependency-version: ${{ inputs.reqstool_version || 'latest' }}
diff --git a/.github/workflows/publish_vscode_ext.yml b/.github/workflows/publish_vscode_ext.yml
index 00c6c8b..e601242 100644
--- a/.github/workflows/publish_vscode_ext.yml
+++ b/.github/workflows/publish_vscode_ext.yml
@@ -17,7 +17,7 @@ on:
 jobs:
   check-release:
     if: github.event_name == 'release'
-    uses: reqstool/.github/.github/workflows/common/check-release.yml@main
+    uses: reqstool/.github/.github/workflows/common-check-release.yml@main
     with:
       version-format: semver
 
@@ -29,7 +29,7 @@ jobs:
   dry-run:
     if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
     needs: [build]
-    uses: reqstool/.github/.github/workflows/typescript/publish-to-vscode.yml@main
+    uses: reqstool/.github/.github/workflows/typescript-publish-to-vscode.yml@main
     with:
       dry-run: true
       dependency-name: reqstoolVersion
@@ -41,7 +41,7 @@ jobs:
   publish:
     if: github.event_name == 'release'
     needs: [check-release, build]
-    uses: reqstool/.github/.github/workflows/typescript/publish-to-vscode.yml@main
+    uses: reqstool/.github/.github/workflows/typescript-publish-to-vscode.yml@main
     with:
       dry-run: false
       dependency-name: reqstoolVersion
diff --git a/.github/workflows/release-preview.yml b/.github/workflows/release-preview.yml
index cec7689..0796d80 100644
--- a/.github/workflows/release-preview.yml
+++ b/.github/workflows/release-preview.yml
@@ -5,7 +5,7 @@ on:
 
 jobs:
   preview:
-    uses: reqstool/.github/.github/workflows/common/release-preview.yml@main
+    uses: reqstool/.github/.github/workflows/common-release-preview.yml@main
     with:
       version-command: 'node -p "require(''./package.json'').version"'
     permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 15a7150..f54f8bb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ on:
 
 jobs:
   release:
-    uses: reqstool/.github/.github/workflows/common/release.yml@main
+    uses: reqstool/.github/.github/workflows/common-release.yml@main
     with:
       version: ${{ inputs.version }}
       version-format: semver

From fa3710f7c22a002dd6bc860e525ab60d3a721cf5 Mon Sep 17 00:00:00 2001
From: Jimisola Laursen <jimisola@jimisola.com>
Date: Tue, 12 May 2026 11:29:10 +0200
Subject: [PATCH 2/3] refactor(ci): update check-semantic-pr reference to
 common- prefix

Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
---
 .github/workflows/check-semantic-pr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
index 5bacd57..7e27d90 100644
--- a/.github/workflows/check-semantic-pr.yml
+++ b/.github/workflows/check-semantic-pr.yml
@@ -7,4 +7,4 @@ on:
 
 jobs:
   check:
-    uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main
+    uses: reqstool/.github/.github/workflows/common-check-semantic-pr.yml@main

From 076226172367e8f9a21d1f656e22ecf179f41d2a Mon Sep 17 00:00:00 2001
From: Jimisola Laursen <jimisola@jimisola.com>
Date: Tue, 12 May 2026 21:14:02 +0200
Subject: [PATCH 3/3] fix(ci): add explicit permissions blocks to workflow
 wrappers

Fixes CodeQL alert: workflow does not limit GITHUB_TOKEN permissions.

Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
---
 .github/workflows/check-semantic-pr.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
index 7e27d90..81a00ea 100644
--- a/.github/workflows/check-semantic-pr.yml
+++ b/.github/workflows/check-semantic-pr.yml
@@ -5,6 +5,9 @@ on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  pull-requests: read
+
 jobs:
   check:
     uses: reqstool/.github/.github/workflows/common-check-semantic-pr.yml@main