chore(deps): Bump github/codeql-action from 4.36.0 to 4.36.1

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.36.0 to 4.36.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/7211b7c8077ea37d8641b6271f6a365a22a5fbfa...87557b9c84dde89fdd9b10e88954ac2f4248e463) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-06-05 00:47:53 +03:00 · 2026-06-04 00:16:12 +00:00
4 changed files with 11 additions and 16 deletions
@@ -1,6 +1,9 @@
 # reusable workflow
 name: .e2e-run

+permissions:
+  contents: read
+
 on:
  workflow_call:
    inputs:
@@ -114,8 +117,8 @@ jobs:
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
-          username: ${{ env.REGISTRY_USER || secrets.registry_username || (inputs.registry == 'ghcr.io' && github.actor) || '' }}
-          password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password || (inputs.registry == 'ghcr.io' && secrets.GITHUB_TOKEN) || '' }}
+          username: ${{ env.REGISTRY_USER || secrets.registry_username }}
+          password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password }}
          scope: ${{ inputs.type == 'remote' && inputs.registry == '' && '@push' || '' }}
      -
        name: Build and push
@@ -35,12 +35,12 @@ jobs:
          node-version: ${{ env.NODE_VERSION }}
      -
        name: Initialize CodeQL
-        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
        with:
          languages: javascript-typescript
          build-mode: none
      -
        name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
        with:
          category: "/language:javascript-typescript"
@@ -20,9 +20,6 @@ on:
 jobs:
  build:
    uses: ./.github/workflows/.e2e-run.yml
-    permissions:
-      contents: read
-      packages: write # to push image to GHCR
    strategy:
      fail-fast: false
      matrix:
@@ -41,7 +38,7 @@ jobs:
          -
            name: GitHub
            registry: ghcr.io
-            slug: ghcr.io/docker/build-push-action-test
+            slug: ghcr.io/docker-ghactiontest/test
            auth: ghcr
            type: remote
          -
@@ -103,11 +100,11 @@ jobs:
      registry: ${{ matrix.registry }}
      slug: ${{ matrix.slug }}
    secrets:
-      # Pass only the registry-specific secrets needed by each matrix entry.
-      # GHCR uses the called workflow's GITHUB_TOKEN fallback.
+      # Pass only the two secrets needed by each matrix entry.
      registry_username: >-
        ${{
          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
+          matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
          matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
          matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
          matrix.auth == 'gar' && secrets.GAR_USERNAME ||
@@ -119,6 +116,7 @@ jobs:
      registry_password: >-
        ${{
          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
+          matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
          matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
          matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
          matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
@@ -1,6 +0,0 @@
-rules:
-  # rule does not apply to reusable worfklows where permissions are defined by
-  # the caller workflow and not the reusable workflow itself
-  excessive-permissions:
-    ignore:
-      - .e2e-run.yml