babylonlabs-io · Lazar955 · Jan 20, 2026 · Jan 19, 2026
@@ -1,14 +1,14 @@
 # Adapted from https://github.com/marketplace/actions/backporting
 #
-# Usage: 
+# Usage:
 #   - Let's say you want to backport a pull request on a branch named `production`.
 #   - Then label it with `backport production`.
-#   - That's it! When the pull request gets merged, it will be backported to 
-#     the `production` branch. If the pull request cannot be backported, a comment 
+#   - That's it! When the pull request gets merged, it will be backported to
+#     the `production` branch. If the pull request cannot be backported, a comment
 #     explaining why will automatically be posted.
 #
-# Note: multiple backport labels can be added. For example, if a pull request 
-#       has the labels `backport staging` and `backport production` it will be 
+# Note: multiple backport labels can be added. For example, if a pull request
+#       has the labels `backport staging` and `backport production` it will be
 #       backported to both branches: `staging` and `production`.
 name: Backport
 on:

@@ -7,21 +7,21 @@
 
 jobs:
   lint_test:
-    uses: babylonlabs-io/.github/.github/workflows/reusable_go_lint_test.yml@5151754256060bf160c411d0784f831f29882106  # v0.13.4
+    uses: babylonlabs-io/.github/.github/workflows/reusable_go_lint_test.yml@22ae8ed7a2ea5c80331758914c4e0ea732eea1ad # v0.15.0
     with:
      go-version: '1.25'
      go-lint-version: 'v2.4.0'
     run-unit-tests: true
     run-integration-tests: true
     run-lint: true
     run-gosec: true
     gosec-args: "-exclude-generated -exclude-dir=e2etest -exclude-dir=testutil ./..."
     install-dependencies-command: |
       sudo apt-get update
        sudo apt-get install -y libzmq3-dev
 
   docker_pipeline:
-    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@5151754256060bf160c411d0784f831f29882106  # v0.13.4
+    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@22ae8ed7a2ea5c80331758914c4e0ea732eea1ad # v0.15.0
     secrets: inherit
     with:
      publish: false
@@ -10,5 +10,5 @@ permissions:
 
 jobs:
   release:
-    uses: babylonlabs-io/.github/.github/workflows/reusable_go_releaser.yml@5151754256060bf160c411d0784f831f29882106  # v0.13.4
+    uses: babylonlabs-io/.github/.github/workflows/reusable_go_releaser.yml@22ae8ed7a2ea5c80331758914c4e0ea732eea1ad # v0.15.0
     secrets: inherit
@@ -13,10 +13,13 @@ on:
         required: false
         type: boolean
         default: false
-
+
+permissions:
+  contents: read
+
 jobs:
   lint_test:
-    uses: babylonlabs-io/.github/.github/workflows/reusable_go_lint_test.yml@847cd8a6ff9c64e401ce922d12532979d9ac5e93 # v0.14.5
+    uses: babylonlabs-io/.github/.github/workflows/reusable_go_lint_test.yml@22ae8ed7a2ea5c80331758914c4e0ea732eea1ad # v0.15.0
     if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['skip-lint-test'] == true) }}
     with:
       go-version: '1.25'
@@ -30,6 +33,8 @@ jobs:
         sudo apt-get update
         sudo apt-get install -y libzmq3-dev
     permissions:
+      contents: read        # REQUIRED by reusable workflow
+      id-token: write       # REQUIRED for AWS OIDC
       # required for all workflows
       security-events: write
       # required to fetch internal or private CodeQL packs
@@ -43,12 +48,14 @@ jobs:
             needs.lint_test.result == 'success'
           )}}
     needs: ["lint_test"]
-    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@847cd8a6ff9c64e401ce922d12532979d9ac5e93 # v0.14.5
+    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@22ae8ed7a2ea5c80331758914c4e0ea732eea1ad # v0.15.0
     secrets: inherit
     with:
       publish: true
       docker_scan: true
     permissions:
+      contents: read        # REQUIRED by reusable workflow
+      id-token: write       # REQUIRED for AWS OIDC
       # required for all workflows
       security-events: write
       # required to fetch internal or private CodeQL packs