hoverkraft-tech · neilime · Apr 30, 2026 · Apr 30, 2026
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
@@ -0,0 +1,19 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "2.16.1",
+      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:ce078b7bf7d9ef3bcb9813b32103795d8d72172446890b64772cbe1dec6baafd",
+      "integrity": "sha256:ce078b7bf7d9ef3bcb9813b32103795d8d72172446890b64772cbe1dec6baafd"
+    },
+    "ghcr.io/devcontainers/features/github-cli:1": {
+      "version": "1.1.0",
+      "resolved": "ghcr.io/devcontainers/features/github-cli@sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671",
+      "integrity": "sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671"
+    },
+    "ghcr.io/devcontainers/features/node:1": {
+      "version": "1.7.1",
+      "resolved": "ghcr.io/devcontainers/features/node@sha256:8c0de46939b61958041700ee89e3493f3b2e4131a06dc46b4d9423427d06e5f6",
+      "integrity": "sha256:8c0de46939b61958041700ee89e3493f3b2e4131a06dc46b4d9423427d06e5f6"
+    }
+  }
+}
diff --git a/.github/workflows/__greetings.yml b/.github/workflows/__greetings.yml
@@ -10,7 +10,7 @@ permissions: {}
 
 jobs:
   greetings:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
     permissions:
       contents: read
       issues: write

diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml
@@ -35,23 +35,23 @@ jobs:
   release:
     needs: ci
     if: github.event_name != 'schedule'
-    uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@b56be562f38e0e3e712f09691a8fe930aae9db1b # 0.22.0
+    uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@48e0c54489152b98d9e18f0454ccce120e9d0fd1 # 0.23.0
     permissions:
       contents: read
     with:
       update-all: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }}
-      github-app-id: ${{ vars.CI_BOT_APP_ID }}
+      github-app-client-id: ${{ vars.CI_BOT_APP_CLIENT_ID }}
     secrets:
       github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
 
   sync-docs:
     needs: release
     if: github.event_name != 'schedule' && github.ref_name == github.event.repository.default_branch && needs.release.outputs.artifact-id
-    uses: hoverkraft-tech/public-docs/.github/workflows/sync-docs-dispatcher.yml@c40c17f7d6a8090950b3ef4bfc70502707a6bb9f # 0.3.0
+    uses: hoverkraft-tech/public-docs/.github/workflows/sync-docs-dispatcher.yml@f3c9291760d927e6214e8d5f0a376af2d537c369 # 0.4.0
     permissions:
       contents: read
     with:
       artifact-id: ${{ needs.release.outputs.artifact-id }}
-      github-app-id: ${{ vars.CI_BOT_APP_ID }}
+      github-app-client-id: ${{ vars.CI_BOT_APP_CLIENT_ID }}
     secrets:
       github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
diff --git a/.github/workflows/__need-fix-to-issue.yml b/.github/workflows/__need-fix-to-issue.yml
@@ -18,7 +18,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
     permissions:
       contents: read
       issues: write

diff --git a/.github/workflows/__semantic-pull-request.yml b/.github/workflows/__semantic-pull-request.yml
@@ -12,7 +12,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
@@ -7,7 +7,7 @@ permissions: {}
 
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
     permissions:
       contents: read
       statuses: write

diff --git a/.github/workflows/__stale.yml b/.github/workflows/__stale.yml
@@ -8,7 +8,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
     permissions:
       issues: write
       pull-requests: write
diff --git a/.github/workflows/__test-workflow-continuous-integration.yml b/.github/workflows/__test-workflow-continuous-integration.yml
@@ -11,11 +11,10 @@ jobs:
     uses: ./.github/workflows/continuous-integration.yml
     permissions:
       contents: read
+      id-token: write
       packages: read
       pull-requests: write
       security-events: write
-      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-      id-token: write
     with:
       working-directory: tests/npm
       build: |
@@ -42,11 +41,10 @@ jobs:
     uses: ./.github/workflows/continuous-integration.yml
     permissions:
       contents: read
+      id-token: write
       packages: read
       pull-requests: write
       security-events: write
-      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-      id-token: write
     with:
       working-directory: tests/npm
       build: |
@@ -59,12 +57,12 @@ jobs:
   arrange-with-container:
     name: Arrange - Build container image for CI workflow
     permissions:
-      id-token: write
       contents: read
-      packages: write
+      id-token: write
       issues: read
+      packages: write
       pull-requests: read
-    uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@e4bf7a12228a2a4b5993d2d36b99b4dd0ec80bf5 # 0.32.1
+    uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@e68cac9a52f0a24cd3800fc723dc4899f647e42b # 0.33.0
     with:
       sign: false
       images: |
@@ -85,11 +83,10 @@ jobs:
     needs: arrange-with-container
     permissions:
       contents: read
+      id-token: write
       packages: read
       pull-requests: write
       security-events: write
-      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-      id-token: write
     with:
       container: ${{ fromJSON(needs.arrange-with-container.outputs.built-images).ci-npm.images[0] }}
       working-directory: /usr/src/app/
@@ -120,11 +117,10 @@ jobs:
     needs: arrange-with-container
     permissions:
       contents: read
+      id-token: write
       packages: read
       pull-requests: write
       security-events: write
-      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-      id-token: write
     with:
       container: |
         {

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -293,11 +293,11 @@ jobs:
       security-events: write
     runs-on: *ci-runner
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
-      - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
+      - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           languages: ${{ inputs.code-ql }}
-      - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+      - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
 
   dependency-review:
     name: 🛡️ Dependency Review
@@ -306,7 +306,7 @@ jobs:
       contents: read
     runs-on: *ci-runner
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
       - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
 
   setup:
@@ -317,8 +317,6 @@ jobs:
     permissions:
       contents: read
       packages: read
-      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
-      id-token: write
     container: &ci-container
       image: ${{ needs.prepare.outputs.container-image || '' }}
       env: ${{ fromJSON(needs.prepare.outputs.container-env || '{}') }}
@@ -334,10 +332,10 @@ jobs:
     steps:
       - name: Checkout repository
         if: inputs.container == ''
-        uses: hoverkraft-tech/ci-github-common/actions/checkout@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+        uses: hoverkraft-tech/ci-github-common/actions/checkout@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
 
       - id: working-directory
-        uses: hoverkraft-tech/ci-github-common/actions/working-directory@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+        uses: hoverkraft-tech/ci-github-common/actions/working-directory@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
         with:
           working-directory: ${{ inputs.working-directory }}
           enforce-path-in-workspace: ${{ inputs.container && 'false' || 'true' }}
@@ -442,13 +440,12 @@ jobs:
     permissions:
       contents: read
       packages: read
-      id-token: write # Needed for getting local workflow actions
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
         if: inputs.container == ''
 
       - id: local-workflow-actions
-        uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+        uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
         with:
           actions-path: actions
 
@@ -475,23 +472,14 @@ jobs:
             core.setOutput('report-file', lintOptions['report-file'] || '');
 
       - name: Run lint
-        uses: ./self-workflow/actions/lint
+        uses: ./../self-workflow/actions/lint
         with:
           working-directory: ${{ needs.setup.outputs.working-directory }}
           container: ${{ inputs.container != '' && 'true' || 'false' }}
           command: ${{ steps.preparel-lint-options.outputs.command }}
           report-file: ${{ steps.preparel-lint-options.outputs.report-file }}
           path-mapping: ${{ needs.prepare.outputs.path-mapping || '' }}
 
-      # jscpd:ignore-start
-      - uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
-        if: always() && steps.local-workflow-actions.outputs.repository
-        with:
-          actions-path: actions
-          repository: ${{ steps.local-workflow-actions.outputs.repository }}
-          ref: ${{ steps.local-workflow-actions.outputs.ref }}
-      # jscpd:ignore-end
-
   build:
     if: inputs.checks == true
     name: 🏗️ Build
@@ -503,21 +491,20 @@ jobs:
     permissions:
       contents: read
       packages: read
-      id-token: write # Needed for getting local workflow actions
     outputs:
       artifact-id: ${{ steps.build.outputs.artifact-id }}
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
         if: needs.setup.outputs.build-commands && inputs.container == ''
 
       - id: local-workflow-actions
-        uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+        uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
         with:
           actions-path: actions
 
       - id: build
         if: needs.setup.outputs.build-commands
-        uses: ./self-workflow/actions/build
+        uses: ./../self-workflow/actions/build
         with:
           container: ${{ inputs.container != '' && 'true' || 'false' }}
           working-directory: ${{ needs.setup.outputs.working-directory }}
@@ -526,15 +513,6 @@ jobs:
           build-env: ${{ needs.setup.outputs.build-env }}
           build-artifact: ${{ needs.setup.outputs.build-artifact }}
 
-      # jscpd:ignore-start
-      - uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
-        if: always() && steps.local-workflow-actions.outputs.repository
-        with:
-          actions-path: actions
-          repository: ${{ steps.local-workflow-actions.outputs.repository }}
-          ref: ${{ steps.local-workflow-actions.outputs.ref }}
-      # jscpd:ignore-end
-
   test:
     if: inputs.checks == true && inputs.test
     name: 🧪 Test
@@ -546,11 +524,11 @@ jobs:
       - build
     permissions:
       contents: read
-      pull-requests: write
+      id-token: write # Required for Codecov uploads with OIDC authentication
       packages: read
-      id-token: write # Needed for getting local workflow actions
+      pull-requests: write
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
         if: inputs.container == ''
 
       - if: needs.build.outputs.artifact-id && inputs.container == ''
@@ -560,7 +538,7 @@ jobs:
           path: "/"
 
       - id: local-workflow-actions
-        uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+        uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
         with:
           actions-path: actions
 
@@ -591,7 +569,7 @@ jobs:
             core.setOutput('command', testOptions.command || 'test:ci');
 
       - name: Run tests
-        uses: ./self-workflow/actions/test
+        uses: ./../self-workflow/actions/test
         with:
           working-directory: ${{ needs.setup.outputs.working-directory }}
           container: ${{ inputs.container != '' && 'true' || 'false' }}
@@ -600,12 +578,3 @@ jobs:
           report-file: ${{ steps.prepare-test-options.outputs.report-file }}
           path-mapping: ${{ needs.prepare.outputs.path-mapping || '' }}
           github-token: ${{ secrets.github-token || github.token }}
-
-      # jscpd:ignore-start
-      - uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
-        if: always() && steps.local-workflow-actions.outputs.repository
-        with:
-          actions-path: actions
-          repository: ${{ steps.local-workflow-actions.outputs.repository }}
-          ref: ${{ steps.local-workflow-actions.outputs.ref }}
-      # jscpd:ignore-end
diff --git a/actions/build/action.yml b/actions/build/action.yml
@@ -66,12 +66,12 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: hoverkraft-tech/ci-github-common/actions/local-actions@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+    - uses: hoverkraft-tech/ci-github-common/actions/local-actions@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
       with:
         source-path: ${{ github.action_path }}/..
 
     - id: working-directory
-      uses: hoverkraft-tech/ci-github-common/actions/working-directory@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+      uses: hoverkraft-tech/ci-github-common/actions/working-directory@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
       with:
         working-directory: ${{ inputs.working-directory }}
         enforce-path-in-workspace: ${{ inputs.container && 'false' || 'true' }}

diff --git a/actions/codecov/action.yml b/actions/codecov/action.yml
@@ -7,6 +7,13 @@ description: |
   - **Cleanup**: Uninstalls dependencies after Codecov upload is complete
   - **OIDC support**: Uses OIDC authentication with Codecov for secure uploads
 
+  Note that this action must have write permission for id-token for this to work:
+
+  ```yml
+  permissions:
+    id-token: write
+  ```
+
 author: hoverkraft
 branding:
   icon: upload-cloud
@@ -24,7 +31,7 @@ runs:
   using: "composite"
   steps:
     - id: working-directory
-      uses: hoverkraft-tech/ci-github-common/actions/working-directory@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+      uses: hoverkraft-tech/ci-github-common/actions/working-directory@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
       with:
         working-directory: ${{ inputs.working-directory }}
         enforce-path-in-workspace: "false"

diff --git a/actions/dependencies-cache/action.yml b/actions/dependencies-cache/action.yml
@@ -32,12 +32,12 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: hoverkraft-tech/ci-github-common/actions/local-actions@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+    - uses: hoverkraft-tech/ci-github-common/actions/local-actions@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
       with:
         source-path: ${{ github.action_path }}/..
 
     - id: working-directory
-      uses: hoverkraft-tech/ci-github-common/actions/working-directory@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+      uses: hoverkraft-tech/ci-github-common/actions/working-directory@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
       with:
         working-directory: ${{ inputs.working-directory }}
         enforce-path-in-workspace: "false"

diff --git a/actions/get-package-manager/action.yml b/actions/get-package-manager/action.yml
@@ -31,7 +31,7 @@ runs:
   using: "composite"
   steps:
     - id: working-directory
-      uses: hoverkraft-tech/ci-github-common/actions/working-directory@71b85947453f32b5d147ff3ab37351439a92d840 # 0.34.2
+      uses: hoverkraft-tech/ci-github-common/actions/working-directory@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
       with:
         working-directory: ${{ inputs.working-directory }}
         enforce-path-in-workspace: "false"