template: Tighten permissions

Request only for the permissions we need to use. In particular,
explicitly request no permissions when none are needed, as the default
gives at least contents write permission.

Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>

Author: llucax

cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/auto-dependabot.yaml

@@ -32,6 +32,12 @@ jobs:
         with:
           app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }}
           private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }}
+          # Merge Dependabot PRs.
+          permission-contents: write
+          # Create the auto-merged label if it does not exist.
+          permission-issues: write
+          # Approve PRs, add labels, and enable auto-merge.
+          permission-pull-requests: write
 
       - name: Auto-merge Dependabot PR
         uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0

cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/ci-pr.yaml

@@ -4,6 +4,10 @@ name: Test PR
 on:
   pull_request:
 
+permissions:
+  # Read repository contents for checkout and dependency resolution only.
+  contents: read
+
 env:
   # Please make sure this version is included in the `matrix`, as the
   # `matrix` section can't use `env`, so it must be entered manually

cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/ci.yaml

@@ -16,6 +16,10 @@ on:
       - 'dependabot/**'
   workflow_dispatch:
 
+permissions:
+  # Read repository contents for checkout and dependency resolution only.
+  contents: read
+
 env:
   # Please make sure this version is included in the `matrix`, as the
   # `matrix` section can't use `env`, so it must be entered manually
@@ -95,6 +99,8 @@ jobs:
     # We skip this job only if nox was also skipped
     if: always() && needs.nox.result != 'skipped'
     runs-on: ubuntu-slim
+    # Drop token permissions: this job only checks matrix status from `needs`.
+    permissions: {}
     env:
       DEPS_RESULT: ${{ needs.nox.result }}
     steps:
@@ -202,6 +208,8 @@ jobs:
     # We skip this job only if test-installation was also skipped
     if: always() && needs.test-installation.result != 'skipped'
     runs-on: ubuntu-slim
+    # Drop token permissions: this job only checks matrix status from `needs`.
+    permissions: {}
     env:
       DEPS_RESULT: ${{ needs.test-installation.result }}
     steps:

cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/dco-merge-queue.yml

@@ -4,6 +4,9 @@ name: DCO
 on:
   merge_group:
 
+# Drop all token permissions: this workflow only runs a local echo command.
+permissions: {}
+
 jobs:
   DCO:
     runs-on: ubuntu-slim

cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/repo-config-migration.yaml

@@ -50,6 +50,14 @@ jobs:
         with:
           app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }}
           private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }}
+          # Push migration commits to the PR branch.
+          permission-contents: write
+          # Manage labels when auto-merging patch-only updates.
+          permission-issues: write
+          # Approve pull requests and enable auto-merge.
+          permission-pull-requests: write
+          # Allow pushes when migration changes workflow files.
+          permission-workflows: write
       - name: Migrate
         uses: frequenz-floss/gh-action-dependabot-migrate@07dc7e74726498c50726a80cc2167a04d896508f # v1.0.0
         with:

tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/.github/workflows/auto-dependabot.yaml

@@ -31,6 +31,12 @@ jobs:
         with:
           app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }}
           private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }}
+          # Merge Dependabot PRs.
+          permission-contents: write
+          # Create the auto-merged label if it does not exist.
+          permission-issues: write
+          # Approve PRs, add labels, and enable auto-merge.
+          permission-pull-requests: write
 
       - name: Auto-merge Dependabot PR
         uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0

tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/.github/workflows/ci-pr.yaml

@@ -3,6 +3,10 @@ name: Test PR
 on:
   pull_request:
 
+permissions:
+  # Read repository contents for checkout and dependency resolution only.
+  contents: read
+
 env:
   # Please make sure this version is included in the `matrix`, as the
   # `matrix` section can't use `env`, so it must be entered manually

tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/.github/workflows/ci.yaml

@@ -15,6 +15,10 @@ on:
       - 'dependabot/**'
   workflow_dispatch:
 
+permissions:
+  # Read repository contents for checkout and dependency resolution only.
+  contents: read
+
 env:
   # Please make sure this version is included in the `matrix`, as the
   # `matrix` section can't use `env`, so it must be entered manually
@@ -62,6 +66,8 @@ jobs:
     # We skip this job only if nox was also skipped
     if: always() && needs.nox.result != 'skipped'
     runs-on: ubuntu-slim
+    # Drop token permissions: this job only checks matrix status from `needs`.
+    permissions: {}
     env:
       DEPS_RESULT: ${{ needs.nox.result }}
     steps:
@@ -169,6 +175,8 @@ jobs:
     # We skip this job only if test-installation was also skipped
     if: always() && needs.test-installation.result != 'skipped'
     runs-on: ubuntu-slim
+    # Drop token permissions: this job only checks matrix status from `needs`.
+    permissions: {}
     env:
       DEPS_RESULT: ${{ needs.test-installation.result }}
     steps:

tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/.github/workflows/dco-merge-queue.yml

@@ -3,6 +3,9 @@ name: DCO
 on:
   merge_group:
 
+# Drop all token permissions: this workflow only runs a local echo command.
+permissions: {}
+
 jobs:
   DCO:
     runs-on: ubuntu-slim

tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/.github/workflows/repo-config-migration.yaml

@@ -49,6 +49,14 @@ jobs:
         with:
           app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }}
           private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }}
+          # Push migration commits to the PR branch.
+          permission-contents: write
+          # Manage labels when auto-merging patch-only updates.
+          permission-issues: write
+          # Approve pull requests and enable auto-merge.
+          permission-pull-requests: write
+          # Allow pushes when migration changes workflow files.
+          permission-workflows: write
       - name: Migrate
         uses: frequenz-floss/gh-action-dependabot-migrate@07dc7e74726498c50726a80cc2167a04d896508f # v1.0.0
         with: