a5chin · a5chin · Feb 18, 2026 · Feb 16, 2026
@@ -11,7 +11,7 @@ on:
   workflow_dispatch:
 
 jobs:
-  delete-branch:
+  branch:
     runs-on: ubuntu-latest
 
     steps:
@@ -30,6 +30,59 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
 
+  environments:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        include:
+          - environment: Develop
+            branch: develop
+          - environment: Production
+            branch: main
+          - environment: github-pages
+            branch: gh-pages
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_KEY }}
+
+      - name: Configure Environment
+        run: |
+          if [ ! -f ${{ env.CONFIG_FILE }} ]; then
+            echo "Error: ${{ env.CONFIG_FILE }} not found!"
+            exit 1
+          fi
+
+          jq -c ".\"${{ env.ENVIRONMENT_NAME }}\"" ${{ env.CONFIG_FILE }} | gh api -X PUT "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}" --input -
+
+          CUSTOM_BRANCH_POLICIES=$(jq -r ".\"${{ env.ENVIRONMENT_NAME }}\".deployment_branch_policy.custom_branch_policies" ${{ env.CONFIG_FILE }})
+
+          if [ "$CUSTOM_BRANCH_POLICIES" != true ]; then
+            IDS=$(gh api "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies" --jq '.branch_policies[].id' || true)
+            for ID in $IDS; do
+              gh api -X DELETE "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies/$ID" --silent || true
+            done
+            exit 0
+          fi
+
+          gh api -X POST "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies" \
+            -f "name=${{ env.BRANCH_NAME }}" \
+            -f "type=branch"
+        env:
+          CONFIG_FILE: .github/environments.json
+          BRANCH_NAME: ${{ matrix.branch }}
+          ENDPOINT: repos/${{ github.repository }}/environments
+          ENVIRONMENT_NAME: ${{ matrix.environment }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+
   pages:
     runs-on: ubuntu-latest
 
@@ -56,55 +109,29 @@ jobs:
           TARGET_PATH: /
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
 
-  protection:
+  permission:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
       - name: Generate a token
         id: generate-token
         uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.APP_KEY }}
 
-      - name: Apply Branch Protection Rules
+      - name: Configure Actions Workflow Permissions
         run: |
-          if [ ! -f ${{ env.CONFIG_FILE }} ]; then
-            echo "Error: ${{ env.CONFIG_FILE }} not found!"
-            exit 1
-          fi
-
-          BRANCHES=$(jq -r 'keys[]' ${{ env.CONFIG_FILE }})
-
-          for BRANCH in $BRANCHES; do
-            if ! gh api "${{ env.ENDPOINT }}/$BRANCH" --silent >/dev/null 2>&1; then
-              echo "Warning: Branch $BRANCH does not exist in this repository. Skipping..."
-              continue
-            fi
-
-            jq -c ".\"$BRANCH\"" ${{ env.CONFIG_FILE }} | gh api -X PUT "${{ env.ENDPOINT }}/$BRANCH/protection" --input -
-          done
+          gh api -X PUT "${{ env.ENDPOINT }}" \
+            -f "default_workflow_permissions=write" \
+            -F "can_approve_pull_request_reviews=true"
         env:
-          CONFIG_FILE: .github/protection.json
-          ENDPOINT: repos/${{ github.repository }}/branches
+          ENDPOINT: repos/${{ github.repository }}/actions/permissions/workflow
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
 
-  environments:
+  protection:
     runs-on: ubuntu-latest
 
-    strategy:
-      matrix:
-        include:
-          - environment: Develop
-            branch: develop
-          - environment: Production
-            branch: main
-          - environment: github-pages
-            branch: gh-pages
-
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -116,31 +143,24 @@ jobs:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.APP_KEY }}
 
-      - name: Configure Environment
+      - name: Apply Branch Protection Rules
         run: |
           if [ ! -f ${{ env.CONFIG_FILE }} ]; then
             echo "Error: ${{ env.CONFIG_FILE }} not found!"
             exit 1
           fi
 
-          jq -c ".\"${{ env.ENVIRONMENT_NAME }}\"" ${{ env.CONFIG_FILE }} | gh api -X PUT "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}" --input -
-
-          CUSTOM_BRANCH_POLICIES=$(jq -r ".\"${{ env.ENVIRONMENT_NAME }}\".deployment_branch_policy.custom_branch_policies" ${{ env.CONFIG_FILE }})
+          BRANCHES=$(jq -r 'keys[]' ${{ env.CONFIG_FILE }})
 
-          if [ "$CUSTOM_BRANCH_POLICIES" != true ]; then
-            IDS=$(gh api "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies" --jq '.branch_policies[].id' || true)
-            for ID in $IDS; do
-              gh api -X DELETE "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies/$ID" --silent || true
-            done
-            exit 0
-          fi
+          for BRANCH in $BRANCHES; do
+            if ! gh api "${{ env.ENDPOINT }}/$BRANCH" --silent >/dev/null 2>&1; then
+              echo "Warning: Branch $BRANCH does not exist in this repository. Skipping..."
+              continue
+            fi
 
-          gh api -X POST "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies" \
-            -f "name=${{ env.BRANCH_NAME }}" \
-            -f "type=branch"
+            jq -c ".\"$BRANCH\"" ${{ env.CONFIG_FILE }} | gh api -X PUT "${{ env.ENDPOINT }}/$BRANCH/protection" --input -
+          done
         env:
-          CONFIG_FILE: .github/environments.json
-          BRANCH_NAME: ${{ matrix.branch }}
-          ENDPOINT: repos/${{ github.repository }}/environments
-          ENVIRONMENT_NAME: ${{ matrix.environment }}
+          CONFIG_FILE: .github/protection.json
+          ENDPOINT: repos/${{ github.repository }}/branches
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}