From 1c378863d40a79ad8f5389b4d741a48a27966aae Mon Sep 17 00:00:00 2001
From: jmeridth <jmeridth@gmail.com>
Date: Mon, 27 Jan 2025 15:27:10 -0600
Subject: [PATCH] chore: update workflows

- [x] update ospo-reusable-workflows version
  - prevents auto-labeler creating draft releases
- [x] update permissions on release-image, allows for attestations, if enabled

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 .github/workflows/auto-labeler.yml |  4 ++--
 .github/workflows/pr-title.yml     |  2 +-
 .github/workflows/release.yml      | 12 ++++++------
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml
index 7e41954..43e20ea 100644
--- a/.github/workflows/auto-labeler.yml
+++ b/.github/workflows/auto-labeler.yml
@@ -9,9 +9,9 @@ permissions:
 jobs:
   main:
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
-    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@1406afbf7a795f706f04644059cecbb3b2f0c1a0
+    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
     with:
       config-name: release-drafter.yml
     secrets:
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index 70f1974..c8aee01 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -12,6 +12,6 @@ jobs:
       contents: read
       pull-requests: read
       statuses: write
-    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@1406afbf7a795f706f04644059cecbb3b2f0c1a0
+    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8593032..8b4a9e8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: read
-    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@53a9c808122ffaae9af948f72139fb4bd44ab74c
+    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
     with:
       publish: true
       release-config-name: release-drafter.yml
@@ -21,11 +21,11 @@ jobs:
   release_image:
     needs: release
     permissions:
-      contents: write
-      discussions: write
+      contents: read
       packages: write
-      pull-requests: read
-    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@53a9c808122ffaae9af948f72139fb4bd44ab74c
+      id-token: write
+      attestations: write
+    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
     with:
       image-name: ${{ github.repository_owner }}/stale_repos
       full-tag: ${{ needs.release.outputs.full-tag }}
@@ -40,7 +40,7 @@ jobs:
     permissions:
       contents: read
       discussions: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@53a9c808122ffaae9af948f72139fb4bd44ab74c
+    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
     with:
       full-tag: ${{ needs.release.outputs.full-tag }}
       body: ${{ needs.release.outputs.body }}