Generated code now includes workflow permissions (#39)

gt-sse-center · Jun 6, 2024 · e83f083 · e83f083
2 parents 95e848b + 87ab18c
commit e83f083
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 17 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -18,6 +18,9 @@ on:
     branches: [ "main" ]
   schedule:
     - cron: '32 17 * * 0'
+  workflow_dispatch:
+
+permissions: {}
 
 jobs:
   analyze:

diff --git a/.github/workflows/standard.yaml b/.github/workflows/standard.yaml
@@ -19,11 +19,13 @@ on:
     - cron: '0 0 * * *' # Once a day at 12am UTC
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   # ----------------------------------------------------------------------
   action_contexts:
     name: "Display GitHub Action Contexts"
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_display_action_contexts.yaml@CI-v0.18.0
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_display_action_contexts.yaml@CI-v0.19.0
 
   # ----------------------------------------------------------------------
   validate:
@@ -45,7 +47,10 @@ jobs:
 
     name: Validate
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -56,7 +61,10 @@ jobs:
 
     name: Postprocess Coverage Info
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_package_python_coverage.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_package_python_coverage.yaml@CI-v0.19.0
     with:
       gist_id: 2f9d770d13e3a148424f374f74d41f4b
       gist_filename: PythonProjectBootstrapper_coverage.json
@@ -85,7 +93,10 @@ jobs:
 
     name: Create Package
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_package.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_package.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -112,7 +123,10 @@ jobs:
 
     name: Validate Package
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_package.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_package.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -136,7 +150,10 @@ jobs:
 
     name: Create Binary
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_binary.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_binary.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -159,7 +176,10 @@ jobs:
 
     name: Validate Binary
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_binary.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_binary.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -173,7 +193,10 @@ jobs:
 
     name: Publish
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_publish_python.yaml@CI-v0.18.0
+    permissions:
+      contents: write
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_publish_python.yaml@CI-v0.19.0
     with:
       release_sources_configuration_filename: .github/release_sources.yaml
     secrets:

diff --git a/...onProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/codeql.yml b/...onProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/codeql.yml
@@ -18,6 +18,9 @@ on:
     branches: [ "main" ]
   schedule:
     - cron: '0 0 * * *'
+  workflow_dispatch:
+
+permissions: {}
 
 jobs:
   analyze:

diff --git a/...rojectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/standard.yaml b/...rojectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/standard.yaml
@@ -14,11 +14,13 @@ on:
     - cron: '0 0 * * *' # Once a day at 12am UTC
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   # ----------------------------------------------------------------------
   action_contexts:
     name: "Display GitHub Action Contexts"
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_display_action_contexts.yaml@CI-v0.18.0
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_display_action_contexts.yaml@CI-v0.19.0
 
   # ----------------------------------------------------------------------
   validate:
@@ -40,7 +42,10 @@ jobs:
 
     name: Validate
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -51,7 +56,10 @@ jobs:
 
     name: Postprocess Coverage Info
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_package_python_coverage.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_package_python_coverage.yaml@CI-v0.19.0
     with:
       gist_id: {{ cookiecutter.gist_id }}
       gist_filename: {{ cookiecutter.github_project_name }}_coverage.json
@@ -80,7 +88,10 @@ jobs:
 
     name: Create Package
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_package.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_package.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -107,7 +118,10 @@ jobs:
 
     name: Validate Package
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_package.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_package.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -131,7 +145,10 @@ jobs:
 
     name: Create Binary
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_binary.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_binary.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -154,7 +171,10 @@ jobs:
 
     name: Validate Binary
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_binary.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_binary.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -178,7 +198,11 @@ jobs:
 
     name: Create Docker Image
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_docker_image.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+      packages: write
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_docker_image.yaml@CI-v0.19.0
     with:
       operating_system: ubuntu-latest
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -200,7 +224,10 @@ jobs:
 
     name: Publish
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_publish_python.yaml@CI-v0.18.0
+    permissions:
+      contents: write
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_publish_python.yaml@CI-v0.19.0
     with:
       release_sources_configuration_filename: .github/release_sources.yaml
     secrets: