From 99bfdee4cd85b34c2bcfa218826dc415a70128b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20M=2E?= <goncalo.martins@outsystems.com>
Date: Mon, 17 Nov 2025 19:19:32 +0000
Subject: [PATCH] chore(github-actions): Review workflow structure and fine
 tune permissions (#30789)

Issue number: resolves #

---------

<!-- Please do not submit updates to dependencies unless it fixes an
issue. -->

<!-- Please try to limit your pull request to one type (bugfix, feature,
etc). Submit multiple pull requests if needed. -->

## What is the current behavior?
<!-- Please describe the current behavior that you are modifying. -->

- Permissions not set as expected

## What is the new behavior?
<!-- Please describe the behavior or changes that are being added by
this PR. -->

- Permissions are properly set throughout the hierarchy
- Workflow structure prevents unintended standalone executions

## Does this introduce a breaking change?

- [ ] Yes
- [x] No

<!--
  If this introduces a breaking change:
1. Describe the impact and migration path for existing applications
below.
  2. Update the BREAKING.md file with the breaking change.
3. Add "BREAKING CHANGE: [...]" to the commit description when merging.
See
https://github.com/ionic-team/ionic-framework/blob/main/docs/CONTRIBUTING.md#footer
for more information.
-->


## Other information

<!-- Any other information that is important to this PR such as
screenshots of how the component looks before and after the change. -->
---
 .../publish-npm/action.yml}                   |  1 +
 .github/workflows/dev-build.yml               |  2 +-
 .github/workflows/nightly.yml                 |  5 +--
 .github/workflows/release-ionic.yml           | 16 +++++-----
 .github/workflows/release-orchestrator.yml    |  2 +-
 .github/workflows/release.yml                 | 31 -------------------
 6 files changed, 12 insertions(+), 45 deletions(-)
 rename .github/{workflows/publish-npm.yml => actions/publish-npm/action.yml} (99%)

diff --git a/.github/workflows/publish-npm.yml b/.github/actions/publish-npm/action.yml
similarity index 99%
rename from .github/workflows/publish-npm.yml
rename to .github/actions/publish-npm/action.yml
index 9730f0e43e..3e58ba9bcc 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/actions/publish-npm/action.yml
@@ -57,3 +57,4 @@ runs:
       run: npm publish ${{ inputs.folder }} --tag ${{ inputs.tag }} --provenance
       shell: bash
       working-directory: ${{ inputs.working-directory }}
+
diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
index 0231e43f66..154f155617 100644
--- a/.github/workflows/dev-build.yml
+++ b/.github/workflows/dev-build.yml
@@ -1,7 +1,6 @@
 name: 'Ionic Dev Build'
 
 on:
-  workflow_dispatch:
   workflow_call:
 
 permissions:
@@ -30,6 +29,7 @@ jobs:
   release-ionic:
     needs: [create-dev-hash]
     permissions:
+      contents: read
       id-token: write
     uses: ./.github/workflows/release-ionic.yml
     with:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index e2f5d57c78..af5f64370e 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,10 +1,6 @@
 name: 'Ionic Nightly Build'
 
 on:
-  schedule:
-    # Run every Monday-Friday
-    # at 6:00 UTC (6:00 am UTC)
-    - cron: '00 06 * * 1-5'
   workflow_call:
 
 permissions:
@@ -35,6 +31,7 @@ jobs:
   release-ionic:
     needs: [create-nightly-hash]
     permissions:
+      contents: read
       id-token: write
     uses: ./.github/workflows/release-ionic.yml
     with:
diff --git a/.github/workflows/release-ionic.yml b/.github/workflows/release-ionic.yml
index 82d365b0a9..7e37e93be1 100644
--- a/.github/workflows/release-ionic.yml
+++ b/.github/workflows/release-ionic.yml
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-    - uses: ./.github/workflows/publish-npm.yml
+    - uses: ./.github/actions/publish-npm
       with:
         scope: '@ionic/core'
         tag: ${{ inputs.tag }}
@@ -55,7 +55,7 @@ jobs:
         name: ionic-docs
         path: ./packages/docs
         filename: DocsBuild.zip
-    - uses: ./.github/workflows/publish-npm.yml
+    - uses: ./.github/actions/publish-npm
       with:
         scope: '@ionic/docs'
         tag: ${{ inputs.tag }}
@@ -74,7 +74,7 @@ jobs:
         name: ionic-core
         path: ./core
         filename: CoreBuild.zip
-    - uses: ./.github/workflows/publish-npm.yml
+    - uses: ./.github/actions/publish-npm
       with:
         scope: '@ionic/angular'
         tag: ${{ inputs.tag }}
@@ -100,7 +100,7 @@ jobs:
         name: ionic-core
         path: ./core
         filename: CoreBuild.zip
-    - uses: ./.github/workflows/publish-npm.yml
+    - uses: ./.github/actions/publish-npm
       with:
         scope: '@ionic/react'
         tag: ${{ inputs.tag }}
@@ -125,7 +125,7 @@ jobs:
         name: ionic-core
         path: ./core
         filename: CoreBuild.zip
-    - uses: ./.github/workflows/publish-npm.yml
+    - uses: ./.github/actions/publish-npm
       with:
         scope: '@ionic/vue'
         tag: ${{ inputs.tag }}
@@ -150,7 +150,7 @@ jobs:
         name: ionic-core
         path: ./core
         filename: CoreBuild.zip
-    - uses: ./.github/workflows/publish-npm.yml
+    - uses: ./.github/actions/publish-npm
       with:
         scope: '@ionic/angular-server'
         tag: ${{ inputs.tag }}
@@ -176,7 +176,7 @@ jobs:
         name: ionic-react
         path: ./packages/react
         filename: ReactBuild.zip
-    - uses: ./.github/workflows/publish-npm.yml
+    - uses: ./.github/actions/publish-npm
       with:
         scope: '@ionic/react-router'
         tag: ${{ inputs.tag }}
@@ -201,7 +201,7 @@ jobs:
         name: ionic-vue
         path: ./packages/vue
         filename: VueBuild.zip
-    - uses: ./.github/workflows/publish-npm.yml
+    - uses: ./.github/actions/publish-npm
       with:
         scope: '@ionic/vue-router'
         tag: ${{ inputs.tag }}
diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml
index f14706363a..cbbed32290 100644
--- a/.github/workflows/release-orchestrator.yml
+++ b/.github/workflows/release-orchestrator.yml
@@ -1,4 +1,4 @@
-name: 'Ionic Release'
+name: 'Release - Ionic Framework'
 
 on:
   schedule:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6b20b89689..02bcb16b4a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,37 +1,6 @@
 name: 'Ionic Production Release'
 
 on:
-  workflow_dispatch:
-    inputs:
-      version:
-        required: true
-        type: choice
-        description: Which version should be published?
-        options:
-          - patch
-          - minor
-          - major
-          - prepatch
-          - preminor
-          - premajor
-          - prerelease
-      tag:
-        required: true
-        type: choice
-        description: Which npm tag should this be published to?
-        options:
-          - latest
-          - next
-      preid:
-        type: choice
-        description: Which prerelease identifier should be used? This is only needed when version is "prepatch", "preminor", "premajor", or "prerelease".
-        default: ''
-        options:
-          - ''
-          - alpha
-          - beta
-          - rc
-          - next
   workflow_call:
     inputs:
       version: