skip pushing out of default branch, skip linting on non-successes, set correct permissions, add run-id and auth to download artifact job

Author: m-aciek

.github/workflows/lint.yml

@@ -5,11 +5,12 @@ on:  # zizmor: ignore[dangerous-triggers]
     workflows: [update and build]
     types: [completed]
 
-permissions: {}
-
 jobs:
   lint:
+    if: github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -28,7 +29,10 @@ jobs:
       - run: sphinx-lint
 
   lint-epub:
+    if: github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     strategy:
       matrix:
         version: [3.15, 3.14]
@@ -41,4 +45,6 @@ jobs:
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: build-${{ matrix.version }}-epub
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
       - run: uvx epubcheck

.github/workflows/update-and-build.yml

@@ -66,7 +66,7 @@ jobs:
         if: env.SIGNIFICANT_CHANGES
       - name: Push commit
         uses: ad-m/github-push-action@881a6320fdb16eb5318c5054f31c218aec2b324c  # v1.3.0
-        if: env.SIGNIFICANT_CHANGES
+        if: env.SIGNIFICANT_CHANGES && (github.event.workflow_run.head_branch == github.event.repository.default_branch)
         with:
           branch: ${{ matrix.version }}
           github_token: ${{ secrets.GITHUB_TOKEN }}