chore: update global workflows (#4725)

LizardByte-bot · ReenigneArcher · web-flow · commit a038cc1375cd · 2026-02-14T17:43:01.000-05:00
Co-authored-by: ReenigneArcher &lt;42013603+ReenigneArcher@users.noreply.github.com&gt;
diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml
@@ -4,16 +4,13 @@
 # the above-mentioned repo.
 
 name: CodeQL
-permissions:
-  actions: read
-  contents: read
-  security-events: write
+permissions: {}
 
 on:
+  pull_request:
   push:
     branches:
       - master
-  pull_request:
   schedule:
     - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC
 
@@ -26,3 +23,7 @@ jobs:
     name: CodeQL
     uses: LizardByte/.github/.github/workflows/__call-codeql.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
diff --git a/.github/workflows/_common-lint.yml b/.github/workflows/_common-lint.yml
@@ -4,8 +4,7 @@
 # the above-mentioned repo.
 
 name: common lint
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -19,3 +18,5 @@ jobs:
     name: Common Lint
     uses: LizardByte/.github/.github/workflows/__call-common-lint.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      contents: read
diff --git a/.github/workflows/_release-notifier.yml b/.github/workflows/_release-notifier.yml
@@ -6,8 +6,7 @@
 # Create a blog post for a new release and open a PR to the blog repo
 
 name: Release Notifications
-permissions:
-  contents: read
+permissions: {}
 
 on:
   release:
@@ -19,7 +18,10 @@ jobs:
     name: Update blog
     uses: LizardByte/.github/.github/workflows/__call-release-notifier.yml@master
     if: github.repository_owner == 'LizardByte'
+    permissions:
+      contents: read
+    with:
+      gh_name: ${{ vars.GH_BOT_NAME }}
     secrets:
       GH_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
-      GH_NAME: ${{ secrets.GH_BOT_NAME }}
       GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
diff --git a/.github/workflows/_update-changelog.yml b/.github/workflows/_update-changelog.yml
@@ -4,8 +4,7 @@
 # the above-mentioned repo.
 
 name: Update changelog
-permissions:
-  contents: read
+permissions: {}
 
 on:
   release:
@@ -27,5 +26,7 @@ jobs:
       github.repository_owner == 'LizardByte' &&
       (github.event_name == 'workflow_dispatch' ||
       (!github.event.release.prerelease && !github.event.release.draft))
+    permissions:
+      contents: read
     secrets:
       GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
diff --git a/.github/workflows/_update-docs.yml b/.github/workflows/_update-docs.yml
@@ -28,6 +28,7 @@ jobs:
     name: Update docs
     uses: LizardByte/.github/.github/workflows/__call-update-docs.yml@master
     if: github.repository_owner == 'LizardByte'
+    permissions: {}
     with:
       readthedocs_slug: ${{ vars.READTHEDOCS_SLUG }}
     secrets:
diff --git a/.github/workflows/_update-flathub-repo.yml b/.github/workflows/_update-flathub-repo.yml
@@ -8,8 +8,7 @@
 # Update Flathub on release events.
 
 name: Update Flathub repo
-permissions:
-  contents: read
+permissions: {}
 
 on:
   release:
@@ -25,7 +24,10 @@ jobs:
     name: Update Flathub Repo
     uses: LizardByte/.github/.github/workflows/__call-update-flathub-repo.yml@master
     if: github.repository_owner == 'LizardByte'
+    permissions:
+      contents: read
+    with:
+      gh_name: ${{ vars.GH_BOT_NAME }}
     secrets:
       GH_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
-      GH_NAME: ${{ secrets.GH_BOT_NAME }}
       GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
diff --git a/.github/workflows/_update-homebrew-repo.yml b/.github/workflows/_update-homebrew-repo.yml
@@ -8,8 +8,7 @@
 # Update Homebrew on release events.
 
 name: Update Homebrew repo
-permissions:
-  contents: read
+permissions: {}
 
 on:
   release:
@@ -25,7 +24,10 @@ jobs:
     name: Update Homebrew repo
     uses: LizardByte/.github/.github/workflows/__call-update-homebrew-repo.yml@master
     if: github.repository_owner == 'LizardByte'
+    permissions:
+      contents: read
+    with:
+      gh_username: ${{ vars.GH_BOT_NAME }}
     secrets:
       GH_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
-      GH_USERNAME: ${{ secrets.GH_BOT_NAME }}
       GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
diff --git a/.github/workflows/_update-pacman-repo.yml b/.github/workflows/_update-pacman-repo.yml
@@ -8,8 +8,7 @@
 # Update pacman repo on release events.
 
 name: Update pacman repo
-permissions:
-  contents: read
+permissions: {}
 
 on:
   release:
@@ -25,7 +24,10 @@ jobs:
     name: Update pacman repo
     uses: LizardByte/.github/.github/workflows/__call-update-pacman-repo.yml@master
     if: github.repository_owner == 'LizardByte'
+    permissions:
+      contents: read
+    with:
+      gh_name: ${{ vars.GH_BOT_NAME }}
     secrets:
       GH_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
-      GH_NAME: ${{ secrets.GH_BOT_NAME }}
       GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
diff --git a/.github/workflows/_update-winget-repo.yml b/.github/workflows/_update-winget-repo.yml
@@ -8,8 +8,7 @@
 # Update Winget on release events.
 
 name: Update Winget repo
-permissions:
-  contents: read
+permissions: {}
 
 on:
   release:
@@ -25,5 +24,9 @@ jobs:
     name: Update Winget repo
     uses: LizardByte/.github/.github/workflows/__call-update-winget-repo.yml@master
     if: github.repository_owner == 'LizardByte'
+    permissions:
+      contents: read
+    with:
+      gh_name: ${{ vars.GH_BOT_NAME }}
     secrets:
       GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
diff --git a/.github/workflows/ci-homebrew.yml b/.github/workflows/ci-homebrew.yml
@@ -5,6 +5,9 @@ permissions: {}
 on:
   workflow_call:
     inputs:
+      git_username:
+        required: true
+        type: string
       publish_release:
         required: true
         type: string
@@ -22,8 +25,6 @@ on:
         required: true
       GIT_EMAIL:
         required: true
-      GIT_USERNAME:
-        required: true
 
 jobs:
   build_homebrew:
@@ -148,7 +149,7 @@ jobs:
           actionlint_config: "---\n# empty config"
           formula_file: ${{ github.workspace }}/homebrew/sunshine.rb
           git_email: ${{ secrets.GIT_EMAIL }}
-          git_username: ${{ secrets.GIT_USERNAME }}
+          git_username: ${{ inputs.git_username }}
           publish: false
           token: ${{ secrets.GH_TOKEN }}
           validate: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -50,16 +50,16 @@ jobs:
       packages: write
     uses: LizardByte/.github/.github/workflows/__call-docker.yml@master
     with:
+      docker_hub_username: ${{ vars.DOCKER_HUB_USERNAME }}
+      gh_bot_name: ${{ vars.GH_BOT_NAME }}
       maximize_build_space: true
       publish_release: ${{ needs.release-setup.outputs.publish_release }}
       release_commit: ${{ needs.release-setup.outputs.release_commit }}
       release_tag: ${{ needs.release-setup.outputs.release_tag }}
       release_version: ${{ needs.release-setup.outputs.release_version }}
     secrets:
-      DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
       DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
       DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
-      GH_BOT_NAME: ${{ secrets.GH_BOT_NAME }}
       GH_BOT_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -80,14 +80,14 @@ jobs:
       contents: read
     uses: ./.github/workflows/ci-homebrew.yml
     with:
+      git_username: ${{ vars.GH_BOT_NAME }}
       publish_release: ${{ needs.release-setup.outputs.publish_release }}
       release_commit: ${{ needs.release-setup.outputs.release_commit }}
       release_tag: ${{ needs.release-setup.outputs.release_tag }}
       release_version: ${{ needs.release-setup.outputs.release_version }}
     secrets:
       GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
       GIT_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
-      GIT_USERNAME: ${{ secrets.GH_BOT_NAME }}
 
   build-linux:
     name: Linux
@@ -312,7 +312,7 @@ jobs:
           actionlint_config: "---\n# empty config"
           formula_file: ${{ github.workspace }}/homebrew/sunshine-beta.rb
           git_email: ${{ secrets.GH_BOT_EMAIL }}
-          git_username: ${{ secrets.GH_BOT_NAME }}
+          git_username: ${{ vars.GH_BOT_NAME }}
           publish: true
           token: ${{ secrets.GH_BOT_TOKEN }}
           validate: false
diff --git a/.github/workflows/release-notifier-moonlight.yml b/.github/workflows/release-notifier-moonlight.yml
@@ -35,5 +35,5 @@ jobs:
           nodetail: true
           nofail: false
           title: ${{ github.event.repository.name }} ${{ github.ref_name }} Released
-          username: ${{ secrets.DISCORD_USERNAME }}
+          username: ${{ vars.DISCORD_USERNAME }}
           webhook: ${{ secrets.DISCORD_RELEASE_WEBHOOK_MOONLIGHT }}
diff --git a/.github/workflows/update-pages.yml b/.github/workflows/update-pages.yml
@@ -38,9 +38,9 @@ jobs:
     uses: LizardByte/LizardByte.github.io/.github/workflows/jekyll-build.yml@master
     secrets:
       GH_BOT_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
-      GH_BOT_NAME: ${{ secrets.GH_BOT_NAME }}
       GH_BOT_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
     with:
       clean_gh_pages: true
+      gh_bot_name: ${{ vars.GH_BOT_NAME }}
       site_artifact: 'prep'
       target_branch: 'gh-pages'
