From 0f50379008d8f43112f2456f50dcd290c7a37d37 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 21 Nov 2025 04:01:08 +0000
Subject: [PATCH] build(deps): bump the github-actions-dependencies group with
 3 updates

Bumps the github-actions-dependencies group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml](https://github.com/hoverkraft-tech/ci-github-common) and [hoverkraft-tech/ci-github-common/.github/workflows/stale.yml](https://github.com/hoverkraft-tech/ci-github-common).

Updates `actions/checkout` from 5.0.0 to 6.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/08c6903cd8c0fde910a37f88322edcfb5dd907a8...1af3b93b6815bc44a9784bd300feb67ff0d1eeb3)

Updates `hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml` from 0.28.1 to 0.30.0
- [Release notes](https://github.com/hoverkraft-tech/ci-github-common/releases)
- [Commits](https://github.com/hoverkraft-tech/ci-github-common/compare/753288393de1f3d92f687a6761d236ca800f5306...1127e708e4072515056a4b0d26bcb0653646cedc)

Updates `hoverkraft-tech/ci-github-common/.github/workflows/stale.yml` from 0.28.1 to 0.30.0
- [Release notes](https://github.com/hoverkraft-tech/ci-github-common/releases)
- [Commits](https://github.com/hoverkraft-tech/ci-github-common/compare/753288393de1f3d92f687a6761d236ca800f5306...1127e708e4072515056a4b0d26bcb0653646cedc)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions-dependencies
- dependency-name: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml
  dependency-version: 0.30.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-dependencies
- dependency-name: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml
  dependency-version: 0.30.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
---
 .github/workflows/__shared-ci.yml            | 10 ++++++-
 .github/workflows/main-ci.yml                | 29 +++++++++++++-------
 .github/workflows/need-fix-to-issue.yml      |  7 ++++-
 .github/workflows/pull-request-ci.yml        |  5 ++++
 .github/workflows/stale.yml                  |  7 ++++-
 .github/workflows/update-css-referential.yml | 11 +++++---
 6 files changed, 52 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
index 3c036fd..15bf1b9 100644
--- a/.github/workflows/__shared-ci.yml
+++ b/.github/workflows/__shared-ci.yml
@@ -3,8 +3,14 @@ name: Shared - Continuous Integration for common tasks
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
   checks:
+    permissions:
+      contents: read
+      id-token: write
+
     strategy:
       matrix:
         include:
@@ -17,7 +23,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
 
       - name: ⚙️ Setup PHP, with composer and extensions
         uses: ./.github/workflows/actions/setup-php
diff --git a/.github/workflows/main-ci.yml b/.github/workflows/main-ci.yml
index bbe1013..970f971 100644
--- a/.github/workflows/main-ci.yml
+++ b/.github/workflows/main-ci.yml
@@ -1,30 +1,35 @@
 name: Main - Continuous Integration
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 on:
   push:
     branches:
       - main
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 jobs:
   ci:
     name: Continuous Integration
     uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      contents: read
+      id-token: write
     secrets: inherit
 
   docs-generate-site:
     runs-on: ubuntu-latest
     needs: ci
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+
       - run: |
           mkdir -p ./_site
 
@@ -64,8 +69,12 @@ jobs:
   docs-generate-phpdoc:
     runs-on: ubuntu-latest
     needs: ci
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
 
       - name: 📃 Generate PHP documentation
         run: docker run --rm -v $(pwd):/data phpdoc/phpdoc:3 -d ./src -t ./_site/phpdoc
diff --git a/.github/workflows/need-fix-to-issue.yml b/.github/workflows/need-fix-to-issue.yml
index 9960173..ea7aefd 100644
--- a/.github/workflows/need-fix-to-issue.yml
+++ b/.github/workflows/need-fix-to-issue.yml
@@ -17,9 +17,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@753288393de1f3d92f687a6761d236ca800f5306 # 0.28.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0
+    permissions:
+      contents: read
+      issues: write
     with:
       manual-commit-ref: ${{ inputs.manual-commit-ref }}
       manual-base-ref: ${{ inputs.manual-base-ref }}
diff --git a/.github/workflows/pull-request-ci.yml b/.github/workflows/pull-request-ci.yml
index 09a2a98..d8cfcae 100644
--- a/.github/workflows/pull-request-ci.yml
+++ b/.github/workflows/pull-request-ci.yml
@@ -10,8 +10,13 @@ on:
       - main
   merge_group:
 
+permissions: {}
+
 jobs:
   ci:
     name: Continuous Integration
     uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      contents: read
+      id-token: write
     secrets: inherit
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 4b53bf5..249959b 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,6 +4,11 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions: {}
+
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@753288393de1f3d92f687a6761d236ca800f5306 # 0.28.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0
+    permissions:
+      issues: write
+      pull-requests: write
diff --git a/.github/workflows/update-css-referential.yml b/.github/workflows/update-css-referential.yml
index 5237b95..ce273f6 100644
--- a/.github/workflows/update-css-referential.yml
+++ b/.github/workflows/update-css-referential.yml
@@ -5,16 +5,19 @@ on:
     - cron: "0 0 * * 0" # Every Sunday at midnight
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   update-css-referential:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
 
       - name: ⚙️ Setup PHP, with composer and extensions
         uses: ./.github/workflows/actions/setup-php