From 87ab18cb9cbf341032995712076eed2d3ab2f5d5 Mon Sep 17 00:00:00 2001
From: David Brownell <db@davidbrownell.com>
Date: Thu, 6 Jun 2024 09:59:26 -0400
Subject: [PATCH] Generated code now includes workflow permissions

---
 .github/workflows/codeql.yml                  |  3 ++
 .github/workflows/standard.yaml               | 39 ++++++++++++----
 .../.github/workflows/codeql.yml              |  3 ++
 .../.github/workflows/standard.yaml           | 45 +++++++++++++++----
 4 files changed, 73 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 3122774..736f635 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -18,6 +18,9 @@ on:
     branches: [ "main" ]
   schedule:
     - cron: '32 17 * * 0'
+  workflow_dispatch:
+
+permissions: {}
 
 jobs:
   analyze:
diff --git a/.github/workflows/standard.yaml b/.github/workflows/standard.yaml
index cbef7fa..c593c3b 100644
--- a/.github/workflows/standard.yaml
+++ b/.github/workflows/standard.yaml
@@ -19,11 +19,13 @@ on:
     - cron: '0 0 * * *' # Once a day at 12am UTC
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   # ----------------------------------------------------------------------
   action_contexts:
     name: "Display GitHub Action Contexts"
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_display_action_contexts.yaml@CI-v0.18.0
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_display_action_contexts.yaml@CI-v0.19.0
 
   # ----------------------------------------------------------------------
   validate:
@@ -45,7 +47,10 @@ jobs:
 
     name: Validate
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -56,7 +61,10 @@ jobs:
 
     name: Postprocess Coverage Info
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_package_python_coverage.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_package_python_coverage.yaml@CI-v0.19.0
     with:
       gist_id: 2f9d770d13e3a148424f374f74d41f4b
       gist_filename: PythonProjectBootstrapper_coverage.json
@@ -85,7 +93,10 @@ jobs:
 
     name: Create Package
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_package.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_package.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -112,7 +123,10 @@ jobs:
 
     name: Validate Package
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_package.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_package.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -136,7 +150,10 @@ jobs:
 
     name: Create Binary
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_binary.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_binary.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -159,7 +176,10 @@ jobs:
 
     name: Validate Binary
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_binary.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_binary.yaml@CI-v0.19.0
     with:
       operating_system: ${{ matrix.os }}
       python_version: ${{ matrix.python_version }}
@@ -173,7 +193,10 @@ jobs:
 
     name: Publish
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_publish_python.yaml@CI-v0.18.0
+    permissions:
+      contents: write
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_publish_python.yaml@CI-v0.19.0
     with:
       release_sources_configuration_filename: .github/release_sources.yaml
     secrets:
diff --git a/src/PythonProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/codeql.yml b/src/PythonProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/codeql.yml
index 305b591..f556c1d 100644
--- a/src/PythonProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/codeql.yml	
+++ b/src/PythonProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/codeql.yml	
@@ -18,6 +18,9 @@ on:
     branches: [ "main" ]
   schedule:
     - cron: '0 0 * * *'
+  workflow_dispatch:
+
+permissions: {}
 
 jobs:
   analyze:
diff --git a/src/PythonProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/standard.yaml b/src/PythonProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/standard.yaml
index 7792019..55ee1ef 100644
--- a/src/PythonProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/standard.yaml	
+++ b/src/PythonProjectBootstrapper/package/{{ cookiecutter.__empty_dir }}/.github/workflows/standard.yaml	
@@ -14,11 +14,13 @@ on:
     - cron: '0 0 * * *' # Once a day at 12am UTC
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   # ----------------------------------------------------------------------
   action_contexts:
     name: "Display GitHub Action Contexts"
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_display_action_contexts.yaml@CI-v0.18.0
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_display_action_contexts.yaml@CI-v0.19.0
 
   # ----------------------------------------------------------------------
   validate:
@@ -40,7 +42,10 @@ jobs:
 
     name: Validate
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -51,7 +56,10 @@ jobs:
 
     name: Postprocess Coverage Info
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_package_python_coverage.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_package_python_coverage.yaml@CI-v0.19.0
     with:
       gist_id: {{ cookiecutter.gist_id }}
       gist_filename: {{ cookiecutter.github_project_name }}_coverage.json
@@ -80,7 +88,10 @@ jobs:
 
     name: Create Package
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_package.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_package.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -107,7 +118,10 @@ jobs:
 
     name: Validate Package
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_package.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_package.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -131,7 +145,10 @@ jobs:
 
     name: Create Binary
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_binary.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_python_binary.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -154,7 +171,10 @@ jobs:
 
     name: Validate Binary
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_binary.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_validate_python_binary.yaml@CI-v0.19.0
     with:
       operating_system: {% raw %}${{ matrix.os }}{% endraw %}
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -178,7 +198,11 @@ jobs:
 
     name: Create Docker Image
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_docker_image.yaml@CI-v0.18.0
+    permissions:
+      contents: read
+      packages: write
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_create_docker_image.yaml@CI-v0.19.0
     with:
       operating_system: ubuntu-latest
       python_version: {% raw %}${{ matrix.python_version }}{% endraw %}
@@ -200,7 +224,10 @@ jobs:
 
     name: Publish
 
-    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_publish_python.yaml@CI-v0.18.0
+    permissions:
+      contents: write
+
+    uses: davidbrownell/dbrownell_DevTools/.github/workflows/callable_publish_python.yaml@CI-v0.19.0
     with:
       release_sources_configuration_filename: .github/release_sources.yaml
     secrets: