ci(gh actions): reviewed permissions, secret names and use of OS var

Author: KaiSchwarz-cnic

.github/workflows/auto-merge-dependabot-pr.yml

@@ -16,7 +16,7 @@ jobs:
 
   dependabot:
     name: Auto-merge Dependabot PR
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.RTLDEV_MW_CI_OS }}
     needs: tests
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
@@ -31,4 +31,4 @@ jobs:
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{secrets.RTLDEV_MW_CI_TOKEN}}

.github/workflows/release.yml

@@ -1,19 +1,24 @@
 name: Release
 on:
-  # will run for every branch, except tags. See RSRMID-206.
   push:
-    # Sequence of patterns matched against refs/heads
     branches:
       - master
 
 jobs:
   build:
     name: Build
     uses: ./.github/workflows/test.yml
+    permissions:
+      contents: read
+      packages: write
 
   release:
     name: Release @ ubuntu-latest
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.RTLDEV_MW_CI_OS }}
+    permissions:
+      contents: write
+      issues: write
+      deployments: write
     needs: build
     steps:
       - name: Checkout
@@ -44,15 +49,15 @@ jobs:
         run: npm ci
       - name: Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RTLDEV_MW_CI_TOKEN }}
           MAVEN_OPTS: ${{ vars.MAVEN_OPTS }}
           OSSRH_JIRA_USERNAME: ${{ secrets.OSSRH_JIRA_USERNAME }}
           OSSRH_JIRA_PASSWORD: ${{ secrets.OSSRH_JIRA_PASSWORD }}
           ENCRYPTED_C9F9AEDF26B7_KEY: ${{ secrets.ENCRYPTED_C9F9AEDF26B7_KEY }}
           ENCRYPTED_C9F9AEDF26B7_IV: ${{ secrets.ENCRYPTED_C9F9AEDF26B7_IV }}
           GPG_KEY_NAME: ${{ secrets.GPG_KEY_NAME }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          RTLDEV_MW_NOTIFICATION_URI: ${{ secrets.RTLDEV_MW_NOTIFICATION_URI }}
+          RTLDEV_MW_NOTIFICATION_URI: ${{ secrets.RTLDEV_MW_CI_NOTIFICATION_URI }}
         run: |
           openssl aes-256-cbc -K $ENCRYPTED_C9F9AEDF26B7_KEY -iv $ENCRYPTED_C9F9AEDF26B7_IV -in codesigning.asc.enc -out codesigning.asc -d
           gpg --import --batch codesigning.asc

.github/workflows/test.yml

@@ -8,7 +8,10 @@ jobs:
   # as the build names above change each time Node versions change
   lint:
     name: 🧪 Linting
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.RTLDEV_MW_CI_OS }}
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -26,7 +29,11 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   test_matrix:
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.RTLDEV_MW_CI_OS }}
+    permissions:
+      contents: write
+      packages: write
+      deployments: write
 
     strategy:
       matrix: