Cleaning up permissions

.github/workflows/build.yml

@@ -10,7 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-java@v4
+      - name: Install Java
+        uses: actions/setup-java@v4
         with:
           distribution: zulu
           java-version: |

.github/workflows/cla.yml

@@ -6,7 +6,6 @@ on:
   pull_request_target:
     types: [ opened,closed,synchronize ]
 
-# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
 permissions:
   actions: write
   contents: write
@@ -17,14 +16,10 @@ jobs:
   CLAAssistant:
     runs-on: ubuntu-latest
     steps:
-      - name: "CLA Assistant"
+      # https://github.com/contributor-assistant/github-action
+      - name: "CLA Assistant Lite"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
         uses: contributor-assistant/[email protected]
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # the below token should have repo scope and must be manually added by you in the repository's secret
-          # This token is required only if you have configured to store the signatures in a remote repository/organization
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ACCESS_TOKEN }}
         with:
           path-to-signatures: 'cla/version1/signatures/cla.json'
           path-to-document: 'https://github.com/cowwoc/pouch/blob/master/cla/version1/cla.md' # e.g. a CLA or a DCO document

.github/workflows/deploy_to_maven_central.yml

@@ -7,13 +7,18 @@ on:
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: true
+permissions:
+  contents: write
+  id-token: write
+
 env:
   STAGING_HOST: "oss.sonatype.org"
   OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
   OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
   MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
 jobs:
   open-release:
+    name: Open release
     runs-on: ubuntu-latest
     outputs:
       INITIAL_MASTER_POSITION: ${{ steps.create-tag.outputs.INITIAL_MASTER_POSITION }}
@@ -106,9 +111,15 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.open-release.outputs.TAG }}
-          token: ${{ secrets.WORKFLOW_TOKEN }}
           fetch-depth: 0
-      - uses: actions/setup-java@v4
+
+      - name: Configure Git User
+        run: |
+          git config user.email "[email protected]"
+          git config user.name "Gili Tzabari"
+
+      - name: Install Java
+        uses: actions/setup-java@v4
         with:
           distribution: zulu
           java-version: |
@@ -154,13 +165,13 @@ jobs:
           git push
 
   close-release:
+    name: Close release
     needs: [ open-release, deploy ]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.open-release.outputs.TAG }}
-          token: ${{ secrets.WORKFLOW_TOKEN }}
       - uses: actions/setup-java@v4
         with:
           distribution: zulu
@@ -189,16 +200,17 @@ jobs:
 
   # Cleanup on failure: https://stackoverflow.com/a/74562058/14731
   on-failure:
-    needs: [ open-release, deploy, document, close-release ]
+    name: On failure
+    needs: [ open-release, deploy, close-release ]
     runs-on: ubuntu-latest
     if: ${{ failure() || cancelled() }}
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.ref }}
-          token: ${{ secrets.WORKFLOW_TOKEN }}
           fetch-depth: 0
-      - uses: actions/setup-java@v4
+      - name: Install Java
+        uses: actions/setup-java@v4
         with:
           distribution: zulu
           java-version: |