feat(ci): add environments

.github/workflows/__audit-repos.yml

@@ -12,6 +12,7 @@ on:
 jobs:
   audit:
     name: Audit Repos
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       - name: Audit

.github/workflows/__call-common-lint.yml

@@ -3,8 +3,7 @@
 # should be included in this workflow; however, there are cases where that is not true, such as with eslint.
 
 name: common lint (called)
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -13,6 +12,8 @@ on:
 jobs:
   lint:
     name: Common Lint
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     env:
       CLANG_FORMAT_VERSION: 20
@@ -105,7 +106,7 @@ jobs:
 
           if [ ! -f ".github/actionlint.yml" ]; then
             curl \
-              -fsSL \
+              -fsS \
               --retry 3 \
               -o ".github/actionlint.yml" \
               "https://raw.githubusercontent.com/LizardByte/.github/master/.github/actionlint.yml"
@@ -559,7 +560,7 @@ jobs:
         shell: bash
         run: |
           if [ ! -f .yamllint.yml ]; then
-            curl -sSL https://raw.githubusercontent.com/LizardByte/.github/master/.yamllint.yml -o .yamllint.yml
+            curl -sS https://raw.githubusercontent.com/LizardByte/.github/master/.yamllint.yml -o .yamllint.yml
           fi
 
           echo "::add-matcher::.github/matchers/yamllint.json"

.github/workflows/__call-docker.yml

@@ -20,6 +20,10 @@ on:
   pull_request:
   workflow_call:
     inputs:
+      gh_bot_name:
+        description: 'GitHub bot name to use for the workflow.'
+        required: false
+        type: string
       maximize_build_space:
         description: 'Maximize build space.'
         required: false
@@ -47,9 +51,6 @@ on:
       DOCKER_HUB_ACCESS_TOKEN:
         description: 'Docker Hub access token to use for the workflow.'
         required: false
-      GH_BOT_NAME:
-        description: 'GitHub bot name to use for the workflow.'
-        required: false
       GH_BOT_TOKEN:
         description: 'GitHub bot token to use for the workflow.'
         required: false
@@ -123,6 +124,9 @@ jobs:
       contents: read
       packages: write
     runs-on: ubuntu-22.04
+    environment:
+      name: docker-${{ matrix.tag }}
+      url: https://hub.docker.com/r/${{ needs.check_dockerfiles.outputs.base_tag }}/tags?name=-${{ matrix.tag }}
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.check_dockerfiles.outputs.matrix) }}
@@ -250,7 +254,7 @@ jobs:
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
         with:
           registry: ghcr.io
-          username: ${{ secrets.GH_BOT_NAME }}
+          username: ${{ inputs.gh_bot_name }}
           password: ${{ secrets.GH_BOT_TOKEN }}
 
       - name: Add problem matcher

.github/workflows/__call-github-env.yml

@@ -3,8 +3,7 @@
 # projects that get many PRs so we can see how the context varies between forks and internal branches.
 
 name: GitHub Env Debug
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -13,6 +12,8 @@ on:
 jobs:
   github_env:
     name: GitHub Env Debug
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Dump GitHub context

.github/workflows/__call-release-notifier.yml

@@ -1,17 +1,18 @@
 ---
 name: Release Notifications (called)
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
+    inputs:
+      gh_name:
+        description: 'GitHub name to use for the workflow.'
+        required: true
+        type: string
     secrets:
       GH_EMAIL:
         description: 'GitHub email to use for the workflow.'
         required: true
-      GH_NAME:
-        description: 'GitHub name to use for the workflow.'
-        required: true
       GH_TOKEN:
         description: 'GitHub token to use for the workflow.'
         required: true
@@ -20,7 +21,14 @@ jobs:
   update-blog:
     name: Update blog
     if: github.repository_owner == 'LizardByte'
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
+    environment:
+      name: release-announcement
+      url: ${{ steps.create-pr.outputs.pull-request-url }}
+    env:
+      BLOG_REPO: ${{ github.repository_owner }}/${{ github.repository_owner }}.github.io
     steps:
       - name: Check topics
         env:
@@ -62,7 +70,7 @@ jobs:
           steps.check-release.outputs.isLatestRelease == 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          repository: "LizardByte/LizardByte.github.io"
+          repository: ${{ env.BLOG_REPO }}
 
       - name: Create blog post
         if: >-
@@ -120,8 +128,8 @@ jobs:
           steps.check-release.outputs.isLatestRelease == 'true'
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0  # v8.1.0
         with:
-          author: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"
-          committer: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"
+          author: "${{ inputs.gh_name }} <${{ secrets.GH_EMAIL }}>"
+          committer: "${{ inputs.gh_name }} <${{ secrets.GH_EMAIL }}>"
           token: ${{ secrets.GH_TOKEN }}
           commit-message: |
             chore: Add blog post for ${{ github.event.repository.name }} release ${{ github.event.release.tag_name }}

.github/workflows/__call-update-changelog.yml

@@ -2,8 +2,7 @@
 # Update changelog on release events.
 
 name: Update changelog (called)
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
@@ -15,11 +14,19 @@ on:
 jobs:
   update-changelog:
     name: Update Changelog
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
+    environment:
+      name: changelog
+      url: ${{ github.event.repository.html_url }}/blob/${{ env.CHANGELOG_BRANCH }}/${{ env.CHANGELOG_FILE }}
+    env:
+      CHANGELOG_BRANCH: changelog
+      CHANGELOG_FILE: CHANGELOG.md
     steps:
       - name: Update Changelog
         uses: LizardByte/actions/actions/release_changelog@6be4ea62064b64957aa880252fe353cd65bcdef7  # v2026.214.14019
         with:
-          changelogBranch: changelog
-          changelogFile: CHANGELOG.md
+          changelogBranch: ${{ env.CHANGELOG_BRANCH }}
+          changelogFile: ${{ env.CHANGELOG_FILE }}
           token: ${{ secrets.GH_TOKEN }}

.github/workflows/__call-update-docs.yml

@@ -17,21 +17,27 @@ on:
 
 jobs:
   update-docs:
+    environment:
+      name: ReadTheDocs
+      url: https://${{ steps.get_slug.outputs.RTD_SLUG }}.readthedocs.io//latest
     env:
       RTD_SLUG: ${{ inputs.READTHEDOCS_SLUG }}
       RTD_TOKEN: ${{ secrets.READTHEDOCS_TOKEN }}
       TAG: ${{ github.event.release.tag_name }}
     if: >-
       !github.event.release.draft
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       - name: Get RTD_SLUG
+        id: get_slug
         run: |
           # if the RTD_SLUG is not set, use the repository name in lowercase
           if [ -z "${RTD_SLUG}" ]; then
               RTD_SLUG=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
           fi
           echo "RTD_SLUG=${RTD_SLUG}" >> "${GITHUB_ENV}"
+          echo "RTD_SLUG=${RTD_SLUG}" >> "${GITHUB_OUTPUTS}"
 
       - name: Deactivate deleted release
         if: >-

.github/workflows/__call-update-flathub-repo.yml

@@ -1,25 +1,31 @@
 ---
 name: Update Flathub repo (called)
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
+    inputs:
+      gh_name:
+        description: 'GitHub name to use for the workflow.'
+        required: true
+        type: string
     secrets:
       GH_EMAIL:
         description: 'GitHub email to use for the workflow.'
         required: true
-      GH_NAME:
-        description: 'GitHub name to use for the workflow.'
-        required: true
       GH_TOKEN:
         description: 'GitHub token to use for the workflow.'
         required: true
 
 jobs:
   update-flathub-repo:
+    environment:
+      name: Flathub
+      url: ${{ steps.create-pr.outputs.pull-request-url }}
     env:
       FLATHUB_PKG: dev.lizardbyte.app.${{ github.event.repository.name }}
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Check if Flathub repo
@@ -88,13 +94,13 @@ jobs:
           mkdir -p .github/ISSUE_TEMPLATE
 
           # sponsors
-          curl -sSL https://github.com/LizardByte/.github/raw/refs/heads/master/.github/FUNDING.yml \
+          curl -sS https://github.com/LizardByte/.github/raw/refs/heads/master/.github/FUNDING.yml \
             -o .github/FUNDING.yml
           # pull request template
-          curl -sSL https://github.com/LizardByte/.github/raw/refs/heads/master/.github/pull_request_template.md \
+          curl -sS https://github.com/LizardByte/.github/raw/refs/heads/master/.github/pull_request_template.md \
             -o .github/pull_request_template.md
           # issue config
-          curl -sSL https://github.com/LizardByte/.github/raw/refs/heads/master/.github/ISSUE_TEMPLATE/config.yml \
+          curl -sS https://github.com/LizardByte/.github/raw/refs/heads/master/.github/ISSUE_TEMPLATE/config.yml \
             -o .github/ISSUE_TEMPLATE/config.yml
 
       - name: Download release asset
@@ -158,8 +164,8 @@ jobs:
           fromJson(steps.download.outputs.downloaded_files)[0]
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0  # v8.1.0
         with:
-          author: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"
-          committer: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"
+          author: "${{ inputs.gh_name }} <${{ secrets.GH_EMAIL }}>"
+          committer: "${{ inputs.gh_name }} <${{ secrets.GH_EMAIL }}>"
           path: "flathub/${{ env.FLATHUB_PKG }}"
           token: ${{ secrets.GH_TOKEN }}
           commit-message: "chore: Update ${{ env.FLATHUB_PKG }} to ${{ github.event.release.tag_name }}"

.github/workflows/__call-update-homebrew-repo.yml

@@ -1,24 +1,30 @@
 ---
 name: Update Homebrew repo (called)
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
+    inputs:
+      gh_username:
+        description: 'Username for git commits'
+        required: true
+        type: string
     secrets:
       GH_EMAIL:
         description: 'Email address for git commits'
         required: true
       GH_TOKEN:
         description: 'GitHub token to use for the workflow.'
         required: true
-      GH_USERNAME:
-        description: 'Username for git commits'
-        required: true
 
 jobs:
   update-homebrew-repo:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
+    environment:
+      name: Homebrew
+      url: https://github.com/${{ github.repository_owner }}/homebrew-homebrew/commits
     steps:
       - name: Check if Homebrew repo
         id: check-label
@@ -62,7 +68,7 @@ jobs:
         with:
           formula_file: ${{ fromJson(steps.download.outputs.downloaded_files)[0] }}
           git_email: ${{ secrets.GH_EMAIL }}
-          git_username: ${{ secrets.GH_USERNAME }}
+          git_username: ${{ inputs.gh_username }}
           publish: true
           token: ${{ secrets.GH_TOKEN }}
           validate: false

.github/workflows/__call-update-npm.yml

@@ -1,9 +1,6 @@
 ---
 name: Update NPM (called)
-permissions:
-  contents: read
-  id-token: write  # required for provenance and OIDC
-  packages: write
+permissions: {}
 
 on:
   workflow_call:
@@ -15,6 +12,10 @@ on:
 
 jobs:
   publish-npm:
+    permissions:
+      contents: read
+      id-token: write  # required for provenance and OIDC
+      packages: write
     runs-on: ubuntu-latest
     environment:
       name: ${{ matrix.environment }}