Improvement/GitHub token permissions

[DecSmith42]

This pull request introduces a new default GitHub workflow permissions configuration that sets permissions to "none" by default, both in workflow YAML files and in the code that generates them. Additionally, it removes support for the obsolete artifact-metadata and models permissions, and provides a new utility for applying the "none" permissions option in workflow definitions.

Key changes:

Default Permissions Handling:

• Added permissions: { } to .github/workflows/Build.yml and .github/workflows/Validate.yml to explicitly set default permissions to none in these workflows. [1] [2]
• Introduced GithubTokenPermissionsOption.NoneAll, a static option that sets all permissions to None, and applied it to workflow definitions in _atom/Build.cs. [1] [2] [3]
• Updated workflow writer logic to output permissions: { } when NoneAll is selected.

Permissions Option Refactoring:

• Removed obsolete artifact-metadata and models properties from GithubTokenPermissionsOption and their usage throughout the codebase. [1] [2] [3] [4]

API Improvements:

• Added a new extension method WithGithubTokenPermissions for easier application of permissions options to workflow target definitions.

[Copilot]

Pull request overview

This pull request enhances GitHub workflow security by introducing explicit "none" permissions as the default configuration. The changes implement a new NoneAll static option that sets all GitHub token permissions to none, removes obsolete permission types that are no longer supported by GitHub Actions, and provides a utility method for easier permission configuration at the target level.

• Introduces GithubTokenPermissionsOption.NoneAll for explicit none permissions with shorthand YAML syntax permissions: { }
• Removes obsolete artifact-metadata and models permissions from the permissions model
• Adds WithGithubTokenPermissions extension method for target-level permission configuration

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
_atom/Build.cs	Applies NoneAll permissions option to Validate and Build workflows, establishing secure-by-default permission model
DecSm.Atom.Module.GithubWorkflows/Generation/Options/GithubTokenPermissionsOption.cs	Adds NoneAll static option, removes obsolete ArtifactMetadata and Models properties, updates ReadAll and WriteAll to exclude removed permissions
DecSm.Atom.Module.GithubWorkflows/Generation/GithubWorkflowWriter.cs	Implements YAML generation for NoneAll option to output permissions: { } shorthand
DecSm.Atom.Module.GithubWorkflows/Extensions.cs	Adds WithGithubTokenPermissions extension method for applying permission options to workflow target definitions
.github/workflows/Validate.yml	Adds explicit permissions: { } declaration, generated from the updated workflow definition
.github/workflows/Build.yml	Adds explicit permissions: { } declaration at workflow level while maintaining job-specific permissions for PushToRelease

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.