From 4e815438b09a713ab1188460016c34ba7ef76382 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Tue, 12 May 2026 16:48:59 +0200 Subject: [PATCH 1/2] refactor(ci): update check-semantic-pr reference to common- prefix check-semantic-pr.yml was renamed to common-check-semantic-pr.yml in reqstool/.github as part of the workflow directory flatten refactor. Signed-off-by: Jimisola Laursen --- .github/workflows/check-semantic-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 5bacd57..7e27d90 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -7,4 +7,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main + uses: reqstool/.github/.github/workflows/common-check-semantic-pr.yml@main From 33e19334229f188aac65b8ac8fb555588448d358 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Tue, 12 May 2026 21:14:01 +0200 Subject: [PATCH 2/2] fix(ci): add explicit permissions blocks to workflow wrappers Fixes CodeQL alert: workflow does not limit GITHUB_TOKEN permissions. Signed-off-by: Jimisola Laursen --- .github/workflows/check-semantic-pr.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 7e27d90..81a00ea 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -5,6 +5,9 @@ on: pull_request_target: types: [opened, edited, synchronize, reopened] +permissions: + pull-requests: read + jobs: check: uses: reqstool/.github/.github/workflows/common-check-semantic-pr.yml@main