From e57cb1b245c4538f97b2eae989d1b10579ca0a35 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 26 Jun 2025 03:13:23 +0000
Subject: [PATCH 1/2] chore: bump @npmcli/template-oss from 4.24.3 to 4.24.4

Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.24.3 to 4.24.4.
- [Release notes](https://github.com/npm/template-oss/releases)
- [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/npm/template-oss/compare/v4.24.3...v4.24.4)

---
updated-dependencies:
- dependency-name: @npmcli/template-oss
  dependency-version: 4.24.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 9174468..00b8674 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^5.0.0",
-    "@npmcli/template-oss": "4.24.3",
+    "@npmcli/template-oss": "4.24.4",
     "tap": "^16.3.0"
   },
   "scripts": {

From 62f2d3b59d591eaf479c4f86e803991a7d0d08b9 Mon Sep 17 00:00:00 2001
From: Michael Smith <owlstronaut@github.com>
Date: Thu, 26 Jun 2025 11:17:20 -0700
Subject: [PATCH 2/2] chore: postinstall for dependabot template-oss PR

---
 .github/workflows/audit.yml               | 3 +++
 .github/workflows/ci-release.yml          | 4 ++++
 .github/workflows/ci.yml                  | 3 +++
 .github/workflows/codeql-analysis.yml     | 3 +++
 .github/workflows/post-dependabot.yml     | 2 +-
 .github/workflows/pull-request.yml        | 3 +++
 .github/workflows/release-integration.yml | 4 ++++
 .github/workflows/release.yml             | 1 +
 package.json                              | 2 +-
 9 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index a3ae725..85282bd 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -8,6 +8,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     name: Audit Dependencies
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index 673f9ca..d9fcb92 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -18,6 +18,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     name: Lint All
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a44b227..b991984 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 15c8efe..af848e1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -13,6 +13,9 @@ on:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml
index 1ea8693..3a91911 100644
--- a/.github/workflows/post-dependabot.yml
+++ b/.github/workflows/post-dependabot.yml
@@ -54,7 +54,7 @@ jobs:
           else
             # strip leading slash from directory so it works as a
             # a path to the workspace flag
-            echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT
+            echo "workspace=--workspace ${dependabot_dir#/}" >> $GITHUB_OUTPUT
           fi
 
       - name: Apply Changes
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 7dbdfd4..c69932d 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -10,6 +10,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: Lint Commits
diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
index 130578e..9ca9a2b 100644
--- a/.github/workflows/release-integration.yml
+++ b/.github/workflows/release-integration.yml
@@ -19,6 +19,10 @@ on:
       PUBLISH_TOKEN:
         required: true
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish:
     name: Publish
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 75acebb..53ff3c2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -244,6 +244,7 @@ jobs:
     if: needs.release.outputs.releases
     uses: ./.github/workflows/release-integration.yml
     permissions:
+      contents: read
       id-token: write
     secrets:
       PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
diff --git a/package.json b/package.json
index 00b8674..a94a6b9 100644
--- a/package.json
+++ b/package.json
@@ -46,7 +46,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.24.3",
+    "version": "4.24.4",
     "publish": "true"
   }
 }