chore: add workflow permissions (#1241)

Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: jkowalleck <[email protected]>
Co-authored-by: jkowalleck <[email protected]>

Author: jkowalleck

.github/workflows/nodejs.yml

@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   NODE_ACTIVE_LTS: "22" # see https://nodejs.org/en/about/releases/
   REPORTS_DIR: "CI_reports"

.github/workflows/release.yml

@@ -28,7 +28,7 @@ on:
         default: false
         required: false
 
-permissions: write-all
+permissions: {}
 
 env:
   REPORTS_DIR: CI_reports
@@ -45,6 +45,8 @@ jobs:
       version_plain: ${{ steps.bump.outputs.version_plain }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write  # needed for git push
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
@@ -85,6 +87,9 @@ jobs:
     name: publish package
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      id-token: write  # Enables provenance signing via OIDC
+      packages: write  # Allows writing to organization packages
     env:
       PACKAGE_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }}
     steps:
@@ -161,6 +166,8 @@ jobs:
     name: publish GitHub
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write  # create a release
     env:
       ASSETS_DIR: release_assets
     steps:

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "8.0.1-alpha.0",
+  "version": "8.0.1-alpha.1",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [