Tighten GitHub CI/CD permissions and other corrections

Author: AndrewQuijano

.github/labeler.yml

@@ -5,16 +5,22 @@ Github-files:
   - '.github/**'
 
 Tests:
-  - 'tests/**'
-
-Analysis:
-  - 'analysis/**'
+  - 'src/tests/**'
 
 Core:
-  - 'core/**'
+  - 'src/libinspector/**.py'
+  - 'pyproject.toml'
+  - 'setup.py'
+  - 'uv.lock'
+
+Scripts:
+  - '**/*.sh'
+  - '**/*.ps1'
+  - '**/*.bat'
 
 Data:
-  - 'data/**'
+  - 'src/libinspector/data/**'
 
-UI:
-  - 'ui/**'
+Streamlit:
+  - 'src/libinspector/.streamlit/**'
+  - '.streamlit/**'

.github/workflows/create_release.yml

@@ -6,9 +6,15 @@ on:
     branches:
       - master
 
+# Set no permissions by default. This is the most secure practice.
+# We will grant specific permissions to each job that needs them.
+permissions: {}
+
 jobs:
   create_release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       v-version: ${{ steps.version.outputs.v-version }}
     steps:
@@ -22,6 +28,8 @@ jobs:
 
   build:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     needs: [create_release]
     strategy:
       fail-fast: false
@@ -101,6 +109,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag_name: ${{ needs.create_release.outputs.v-version }}
+          draft: false
+          generate_release_notes: true
+          prerelease: false
           files: |
             dist/*.exe
             dist/*.whl

.github/workflows/inspector_test.yaml

@@ -7,9 +7,15 @@ on:
   schedule:
     - cron: '0 0 */30 * *'
 
+# Set no permissions by default. This is the most secure practice.
+# We will grant specific permissions to each job that needs them.
+permissions: {}
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: