Merge pull request #1382 from projectsyn/ci/reduce-gh-token-permissions

Reduce permissions for GitHub actions tokens

Author: simu

.github/workflows/build-virtualenv-caches.yml

@@ -9,6 +9,8 @@ on:
   schedule:
     - cron: '0 4 * * MON'
 
+permissions: {}
+
 jobs:
   build-lint-virtualenvs:
     runs-on: ubuntu-latest

.github/workflows/cleanup-pr-tag.yml

@@ -6,6 +6,9 @@ name: Delete closed PR container image tag
     types:
       - closed
 
+permissions:
+  packages: write
+
 jobs:
   cleanup-pr-tag:
     runs-on: ubuntu-latest

.github/workflows/publish-pypi.yml

@@ -10,6 +10,8 @@ on:
     branches:
     - master
 
+permissions: {}
+
 jobs:
   build-and-publish:
     # Skip job on forks

.github/workflows/test.yml

@@ -4,6 +4,8 @@ on:
     branches:
     - master
 
+permissions: {}
+
 jobs:
   lints:
     runs-on: ubuntu-latest

tests/test_tools.py

@@ -5,7 +5,7 @@
 import stat
 import sys
 
-from datetime import datetime, timedelta
+from datetime import datetime
 from pathlib import Path
 from typing import Optional
 from unittest.mock import patch, MagicMock
@@ -276,6 +276,7 @@ def test_install_jb(config: Config, fs, capsys):
     config.managed_tools = {}
     _setup_tool_github_responses()
     assert not tools.MANAGED_TOOLS_PATH.exists()
+    before_install = datetime.now().replace(microsecond=0)
 
     tools.install_tool(config, "jb", None)
 
@@ -299,7 +300,10 @@ def test_install_jb(config: Config, fs, capsys):
     assert len(state) == 1
     assert "jb" in state
     updated = datetime.fromisoformat(state["jb"])
-    assert datetime.now() - updated < timedelta(seconds=1)
+    # NOTE(sg): we're not checking timedelta here, instead we're verifying that the updated
+    # timestamp is between now and before we installed the tool.
+    assert datetime.now() > updated
+    assert updated >= before_install
 
 
 @pytest.mark.skipif(