[PATCH] Apply workflow_security_rollout patch (#266)

This PR applies the workflow_security_rollout patch.

Co-authored-by: ITensorBot <278814285+ITensorBot@users.noreply.github.com>

Author: ITensorBot

.github/workflows/CheckCompatBounds.yml

@@ -1,9 +1,11 @@
-name: "Check Compat Bounds"
+name: "CheckCompatBounds"
 on:
   pull_request: ~
+permissions:
+  contents: "read"
 jobs:
   check-compat-bounds:
-    name: "Check Compat Bounds"
-    uses: "ITensor/ITensorActions/.github/workflows/CheckCompatBounds.yml@v1"
+    name: "CheckCompatBounds"
+    uses: "ITensor/ITensorActions/.github/workflows/CheckCompatBounds.yml@v2"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"

.github/workflows/CompatHelper.yml

@@ -7,9 +7,9 @@ permissions:
   contents: "write"
   pull-requests: "write"
 jobs:
-  compat-helper:
+  compathelper:
     name: "CompatHelper"
-    uses: "ITensor/ITensorActions/.github/workflows/CompatHelper.yml@v1"
+    uses: "ITensor/ITensorActions/.github/workflows/CompatHelper.yml@v2"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"
     secrets: "inherit"

.github/workflows/Documentation.yml

@@ -10,10 +10,12 @@ on:
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: "${{ github.ref_name != github.event.repository.default_branch || github.ref != 'refs/tags/v*' }}"
+permissions:
+  contents: "write"
 jobs:
-  build-and-deploy-docs:
+  documentation:
     name: "Documentation"
-    uses: "ITensor/ITensorActions/.github/workflows/Documentation.yml@v1"
+    uses: "ITensor/ITensorActions/.github/workflows/Documentation.yml@v2"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"
     secrets:

.github/workflows/FormatCheck.yml

@@ -1,12 +1,14 @@
-name: "Format Check"
+name: "FormatCheck"
 on:
   pull_request:
     types:
       - "opened"
       - "synchronize"
       - "reopened"
       - "ready_for_review"
+permissions:
+  contents: "read"
 jobs:
   format-check:
-    name: "Format Check"
-    uses: "ITensor/ITensorActions/.github/workflows/FormatCheck.yml@v1"
+    name: "FormatCheck"
+    uses: "ITensor/ITensorActions/.github/workflows/FormatCheck.yml@v2"

.github/workflows/FormatCheckComment.yml

@@ -1,16 +1,16 @@
-name: "Format Check Comment"
+name: "FormatCheckComment"
 on:
   workflow_run:
     workflows:
-      - "Format Check"
+      - "FormatCheck"
     types:
       - "completed"
+permissions:
+  pull-requests: "write"
+  actions: "read"
 jobs:
-  comment:
-    name: "Format Check Comment"
+  format-check-comment:
+    name: "FormatCheckComment"
     if: "github.event.workflow_run.event == 'pull_request'"
-    permissions:
-      pull-requests: "write"
-      actions: "read"
-    uses: "ITensor/ITensorActions/.github/workflows/FormatCheckComment.yml@v1"
+    uses: "ITensor/ITensorActions/.github/workflows/FormatCheckComment.yml@v2"
     secrets: "inherit"

.github/workflows/FormatPullRequest.yml

@@ -1,4 +1,4 @@
-name: "Format Pull Request"
+name: "FormatPullRequest"
 on:
   schedule:
     - cron: "0 0 * * *"
@@ -11,6 +11,6 @@ permissions:
   pull-requests: "write"
 jobs:
   format-pull-request:
-    name: "Format Pull Request"
-    uses: "ITensor/ITensorActions/.github/workflows/FormatPullRequest.yml@v1"
+    name: "FormatPullRequest"
+    uses: "ITensor/ITensorActions/.github/workflows/FormatPullRequest.yml@v2"
     secrets: "inherit"

.github/workflows/IntegrationTest.yml

@@ -11,10 +11,13 @@ on:
       - "reopened"
       - "ready_for_review"
       - "converted_to_draft"
+permissions:
+  actions: "read"
+  contents: "read"
 jobs:
   integration-test:
     name: "IntegrationTest"
-    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTest.yml@v1"
+    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTest.yml@v2"
     secrets: "inherit"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"

.github/workflows/IntegrationTestRequest.yml

@@ -1,4 +1,4 @@
-name: "Integration Test Request"
+name: "IntegrationTestRequest"
 on:
   issue_comment:
     types:
@@ -9,11 +9,12 @@ permissions:
   checks: "write"
   pull-requests: "write"
 jobs:
-  integrationrequest:
+  integration-test-request:
+    name: "IntegrationTestRequest"
     if: |
       github.event.issue.pull_request &&
       contains(fromJSON('["OWNER", "COLLABORATOR", "MEMBER"]'), github.event.comment.author_association)
-    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTestRequest.yml@v1"
+    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTestRequest.yml@v2"
     secrets: "inherit"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"

.github/workflows/Registrator.yml

@@ -1,4 +1,4 @@
-name: "Register Package"
+name: "Registrator"
 on:
   workflow_dispatch: ~
   push:
@@ -15,8 +15,9 @@ permissions:
   pull-requests: "write"
   issues: "write"
 jobs:
-  Register:
-    uses: "ITensor/ITensorActions/.github/workflows/Registrator.yml@v1"
+  registrator:
+    name: "Registrator"
+    uses: "ITensor/ITensorActions/.github/workflows/Registrator.yml@v2"
     with:
       localregistry: "ITensor/ITensorRegistry"
     secrets: "inherit"

.github/workflows/TagBot.yml

@@ -6,8 +6,12 @@ on:
   workflow_dispatch: ~
 env:
   REGISTRY_TAGBOT_ACTION: "JuliaRegistries/TagBot"
+permissions:
+  contents: "write"
+  issues: "read"
 jobs:
-  TagBot:
+  tagbot:
+    name: "TagBot"
     if: "github.event_name == 'workflow_dispatch' || github.actor == 'JuliaTagBot'"
-    uses: "ITensor/ITensorActions/.github/workflows/TagBot.yml@v1"
+    uses: "ITensor/ITensorActions/.github/workflows/TagBot.yml@v2"
     secrets: "inherit"