fix workflows

anthony-nhs · anthony-nhs · commit f4bcfdced7d0 · 2026-03-31T09:59:58.000Z
diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml
@@ -11,8 +11,7 @@ name: build_all_images
       NO_CACHE:
         required: true
         type: boolean
-env:
-  BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
+permissions: {}
 jobs:
   discover_folders:
     runs-on: ubuntu-latest
@@ -22,6 +21,8 @@ jobs:
       project_folders: ${{ steps.find-folders.outputs.projects }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - id: find-folders
         run: |
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -20,6 +20,7 @@ name: Build and push docker image
       EXTRA_COMMON:
         required: false
         type: string
+permissions: {}
 
 jobs:
   build_and_push_image:
@@ -63,6 +64,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: setup node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,6 +2,7 @@ name: merge to main workflow
 on:
   push:
     branches: [main]
+permissions: {}
 
 jobs:
   get_config_values:
@@ -27,7 +28,6 @@ jobs:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
   build_all_images:
     needs: 
       - tag_release
diff --git a/.github/workflows/delete_old_images.yml b/.github/workflows/delete_old_images.yml
@@ -7,6 +7,7 @@ on:
     - cron: "0 1 * * 6"
   push:
     branches: [main]
+permissions: {}
 
 jobs:
   delete-old-pushed-images:
@@ -21,8 +22,8 @@ jobs:
       - name: Checkout local code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
+          persist-credentials: false
 
       - name: delete unused images
         shell: bash
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -3,8 +3,7 @@ name: pull_request
   pull_request:
     branches:
       - main
-env:
-  BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
+permissions: {}
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
@@ -63,7 +62,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: '${{ env.BRANCH_NAME }}'
+          persist-credentials: false
       - name: Get Commit ID
         id: commit_id
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,7 @@ on:
   workflow_dispatch:
   schedule:
     - cron: "0 18 * * 3"
+permissions: {}
 
 jobs:
   get_config_values:
