ci(cd): update workflow permissions

rhahao · web-flow · commit e6dea88b4dcd · 2026-01-04T12:12:57.000+03:00
diff --git a/.github/workflows/code-ql.yml b/.github/workflows/code-ql.yml
@@ -6,15 +6,14 @@ on:
   pull_request:
     branches: [main, beta, alpha]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   codeql:
     name: Code QL
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     strategy:
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -4,21 +4,18 @@ on:
   workflow_dispatch:
 
 permissions:
-  id-token: write
   contents: read
 
-
 jobs:
   deploy_prod:
     name: Preparing Production release
     if: ${{ github.repository == 'sws2apps/github-gcloud-cli' && github.ref == 'refs/heads/main' }}
     environment:
       name: Prod.env
     runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        node-version: [22.x]
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
       - name: Checkout for release preparation
@@ -27,10 +24,12 @@ jobs:
           ref: main
           persist-credentials: false
 
-      - name: Semantic Release
-        id: semantic
-        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90
+      - name: Setup Node.js LTS
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
         with:
-          semantic_version: 19.0.2
+          node-version: lts/Jod
+
+      - name: Run Semantic Release
+        run: npx semantic-release
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -4,19 +4,16 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   scorecards:
     name: Scorecards Analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
       security-events: write
-      # Used to receive a badge. (Upcoming feature)
       id-token: write
-      actions: read
-      contents: read
 
     steps:
       - name: 'Checkout code'
