fix: update workflows to replace PROJECT_TOKEN and GITHUB_TOKEN with CPMP_TOKEN

.github/workflows/codeql.yml

@@ -18,7 +18,7 @@ jobs:
   analyze:
     name: CodeQL analysis (${{ matrix.language }})
     runs-on: ubuntu-latest
-    # Skip forked PRs where GITHUB_TOKEN lacks security-events permissions
+    # Skip forked PRs where CPMP_TOKEN lacks security-events permissions
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
     permissions:
       contents: read

.github/workflows/docker-publish.yml

@@ -90,7 +90,7 @@ jobs:
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.PROJECT_TOKEN }}
+          password: ${{ secrets.CPMP_TOKEN }}
 
       - name: Extract metadata (tags, labels)
         if: steps.skip.outputs.skip_build != 'true'
@@ -162,7 +162,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3.26.13
         with:
           sarif_file: 'trivy-results.sarif'
-          token: ${{ secrets.CPMP_GHPR_TOKEN }}
+          token: ${{ secrets.CPMP_TOKEN }}
 
       - name: Create summary
         if: steps.skip.outputs.skip_build != 'true'
@@ -207,7 +207,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.PROJECT_TOKEN }}
+          password: ${{ secrets.CPMP_TOKEN }}
 
       - name: Pull Docker image
         run: docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}

.github/workflows/propagate-changes.yml

@@ -103,4 +103,4 @@ jobs:
               }
             }
         env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_TOKEN }}
+          CPMP_TOKEN: ${{ secrets.CPMP_TOKEN }}

.github/workflows/release.yml

@@ -125,7 +125,7 @@ jobs:
             artifacts/caddy-linux-arm64/caddy-linux-arm64
           generate_release_notes: true
           prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') || contains(github.ref_name, 'rc') }}
-          token: ${{ secrets.PROJECT_TOKEN }}
+          token: ${{ secrets.CPMP_TOKEN }}
 
   build-and-publish:
     needs: create-release

.github/workflows/renovate.yml

@@ -22,6 +22,6 @@ jobs:
         uses: renovatebot/github-action@c91a61c730fa166439cd3e2c300c041590002b1d # v44.0.3
         with:
           configurationFile: .github/renovate.json
-          token: ${{ secrets.PROJECT_TOKEN }}
+          token: ${{ secrets.CPMP_TOKEN }}
         env:
           LOG_LEVEL: info

.github/workflows/renovate_prune.yml

@@ -25,7 +25,7 @@ jobs:
       - name: Prune renovate branches
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
-          github-token: ${{ secrets.PROJECT_TOKEN }}
+          github-token: ${{ secrets.CPMP_TOKEN }}
           script: |
             const owner = context.repo.owner;
             const repo = context.repo.repo;