From 9cb372e2b39e631a5455b18b086d38e902f91e82 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 28 Jul 2025 07:52:34 +0200
Subject: [PATCH] fix(openapi): Fix openapi command after security hardening

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 workflow-templates/command-compile.yml | 2 +-
 workflow-templates/command-openapi.yml | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml
index d5ecf01a..1c829dcc 100644
--- a/workflow-templates/command-compile.yml
+++ b/workflow-templates/command-compile.yml
@@ -172,7 +172,7 @@ jobs:
 
       - name: Force push
         if: ${{ contains(needs.init.outputs.arg1, 'rebase') || contains(needs.init.outputs.arg1, 'amend') }}
-        run: git push --force origin '${{ needs.init.outputs.head_ref }}'
+        run: git push --force-with-lease origin '${{ needs.init.outputs.head_ref }}'
 
       - name: Add reaction on failure
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml
index fa55fc50..1dfeb0f6 100644
--- a/workflow-templates/command-openapi.yml
+++ b/workflow-templates/command-openapi.yml
@@ -97,7 +97,7 @@ jobs:
 
     steps:
       - name: Restore cached git repository
-        uses: buildjet/cache@e376f15c6ec6dc595375c78633174c7e5f92dc0e # v3
+        uses: buildjet/cache@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2
         with:
           path: .git
           key: git-repo
@@ -105,7 +105,8 @@ jobs:
       - name: Checkout ${{ needs.init.outputs.head_ref }}
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          persist-credentials: false
+          # Needed to allow force push later
+          persist-credentials: true
           token: ${{ secrets.COMMAND_BOT_PAT }}
           fetch-depth: 0
           ref: ${{ needs.init.outputs.head_ref }}
@@ -186,7 +187,7 @@ jobs:
 
       - name: Force push
         if: ${{ contains(needs.init.outputs.arg1, 'rebase') || contains(needs.init.outputs.arg1, 'amend') }}
-        run: git push --force origin '${{ needs.init.outputs.head_ref }}'
+        run: git push --force-with-lease origin '${{ needs.init.outputs.head_ref }}'
 
       - name: Add reaction on failure
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0