Add permissions blocks to CI

Signed-off-by: Bradley Reynolds <[email protected]>

Author: shenanigansd

.github/dependabot.yaml

@@ -6,12 +6,6 @@ multi-ecosystem-groups:
       interval: "monthly"
 
 updates:
-  - package-ecosystem: "devcontainers"
-    directory: "/"
-    patterns:
-      - "*"
-    multi-ecosystem-group: "all"
-
   - package-ecosystem: "github-actions"
     directory: "/"
     patterns:

.github/workflows/dependency-review.yaml

@@ -1,4 +1,4 @@
-name: "Dependency Review"
+name: Dependency Review
 
 on:
   pull_request:
@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: "Checkout Repository"
+      - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: "Dependency Review"
+      - name: Dependency Review
         uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
         with:
           config-file: darbiadev/.github/.github/dependency-review-config.yaml@main

.github/workflows/pre-commit.yaml

@@ -1,11 +1,14 @@
-name: "pre-commit"
+name: pre-commit
 
 on:
   push:
     branches:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     uses: darbiadev/.github/.github/workflows/generic-precommit.yaml@91dda16028f109ac78016dd740206fd109740068 # v15.0.0

.github/workflows/python.yaml

@@ -1,4 +1,4 @@
-name: "Python"
+name: Python
 
 on:
   push:
@@ -7,55 +7,58 @@ on:
       - "pyproject.toml"
       - "**/*.py"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: "Setup Python"
+      - name: Setup Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
-          python-version: "3.x"
+          python-version: 3.x
           allow-prereleases: true
-          cache: "pip"
-          cache-dependency-path: "pyproject.toml"
+          cache: pip
+          cache-dependency-path: pyproject.toml
 
-      - name: "Install dependencies"
+      - name: Install dependencies
         run: python -m pip install .[dev,tests]
 
-      - name: "Check formatting"
+      - name: Check formatting
         run: python -m ruff format --check .
 
-      - name: "Run ruff"
+      - name: Run ruff
         run: python -m ruff check --output-format=github .
 
   test:
     runs-on: ubuntu-latest
 
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: "Setup Python"
+      - name: Setup Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: "pyproject.toml"
+          python-version: 3.x
+          cache: pip
+          cache-dependency-path: pyproject.toml
 
-      - name: "Install dependencies"
+      - name: Install dependencies
         run: |
           python -m pip install coverage pytest
           python -m pip install --editable .[dev,tests]
           python -m pip install --editable scratch/projects/one_two_three
 
-      - name: "Run tests"
+      - name: Run tests
         run: python -m coverage run -m pytest --junitxml=junit.xml -o junit_family=legacy
 
-      - name: "Upload coverage reports to Codecov"
+      - name: Upload coverage reports to Codecov
         uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/rust.yaml

@@ -1,4 +1,4 @@
-name: "Rust CI"
+name: Rust CI
 
 on:
   push:
@@ -8,6 +8,9 @@ on:
       - '**/Cargo.toml'
       - '**/Cargo.lock'
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     uses: darbiadev/.github/.github/workflows/rust-lint.yaml@91dda16028f109ac78016dd740206fd109740068 # v15.0.0