Match core repo

Author: bluwy

.github/workflows/ci.yml

@@ -7,6 +7,9 @@ on:
   merge_group:
     branches:
       - main
+      - next
+      # merge group rulesets don't allow wildcards so in settings each maintenance branch needs to be added separately
+      - "maintenance/v*" # branch rulesets don't support v[0-9]+
 
 permissions:
   contents: read

.github/workflows/publish.yml

@@ -4,13 +4,15 @@ on:
   push:
     branches:
       - main
+      - next
+      - "maintenance/v*" # branch rulesets don't support v[0-9]+
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
   queue: max
 
-permissions: {}
+permissions: {} # each job should define its own permission explicitly
 
 jobs:
   version:
@@ -21,8 +23,7 @@ jobs:
     outputs:
       hasChangesets: ${{ steps.changesets.outputs.hasChangesets }}
     permissions:
-      contents: write # to create version commits (changesets/action)
-      pull-requests: write # to create pull request (changesets/action)
+      contents: read # to check out repo (actions/checkout)
     steps:
       - name: Check out repo
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -33,11 +34,13 @@ jobs:
         with:
           skip-cache: true # avoid cache poisoning attacks
 
-      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          permission-contents: write # to create version commits (changesets/action)
+          permission-pull-requests: write # to create pull request (changesets/action)
 
       - name: Create or update release pull request
         id: changesets