* Remove BW-GHAPP tokens from repository-management workflow
- Remove all Azure Key Vault and BW-GHAPP token generation
- Use github.token instead of app token
- Use github-actions[bot] email instead of actions@github.com
- Create PR with version bump instead of pushing directly to main
- Update permissions (remove id-token, add pull-requests for bump_version)
- No GPG signing to remove (wasn't present)
* Fix
template injection security issue
* Remove BW-GHAPP tokens from repository-management workflow
- Remove all Azure Key Vault and BW-GHAPP token generation
- Use github.token instead of app token
- Use github-actions[bot] email instead of actions@github.com
- Create PR with version bump instead of pushing directly to main
- Update permissions (remove id-token, add pull-requests for bump_version)
- Add 'version update' label to automated PRs
- Fix template injection security issue
- Remove all Azure Key Vault and BW-GHAPP token generation
- Use github.token instead of app token
- Use github-actions[bot] email instead of actions@github.com
- Create PR with version bump instead of pushing directly to main
- Update permissions (remove id-token, add pull-requests for bump_version)
- No GPG signing to remove (wasn't present)
The move_edd_db_scripts job in repository-management.yml had
permissions: {} while calling _move_edd_db_scripts.yml, which
declares pull-requests: write and contents: write at its top
level. GitHub Actions blocks permission escalation in reusable
workflow callers at startup, producing a startup_failure.
Additionally, _move_edd_db_scripts.yml was missing id-token: write
and actions: read from its own top-level permissions block, which
its jobs require.
Fixed by granting the caller job explicit permissions matching what
the reusable workflow needs, and adding the missing permissions to
the reusable workflow's top-level block.
- Add empty permission set at workflow level to remove default GITHUB_TOKEN permissions
- Add empty permission set to setup job as it only runs bash commands
- Add contents:write to GitHub App tokens in bump_version and cut_branch jobs for git operations
- Add empty permission set to move_edd_db_scripts job as called workflow declares its own permissions
- Remove secrets:inherit as called workflow accesses Azure secrets directly
* Document database projects and complete EDD support
* Remove an old remnant of a now-unused 'future' state
* Sync finalization scripts
* Fix conflict
* Fix some script issues
