From d7fc1464589105e1fb29c311389beaecd7629443 Mon Sep 17 00:00:00 2001
From: Ashish Bhatia <ashishb@ashishb.net>
Date: Sat, 28 Dec 2024 23:41:51 -0800
Subject: [PATCH] feat: improve all actions base templates (#113)

---
 .../internal/generator/data/build-android-incomplete.yaml    | 4 ++++
 .../internal/generator/data/build-docker-incomplete.yaml     | 4 ++++
 src/gabo/internal/generator/data/build-npm-incomplete.yaml   | 4 ++++
 src/gabo/internal/generator/data/build-yarn-incomplete.yaml  | 4 ++++
 .../internal/generator/data/check-goreleaser-config.yaml     | 4 ++++
 src/gabo/internal/generator/data/format-go.yaml              | 4 ++++
 src/gabo/internal/generator/data/format-python.yaml          | 4 ++++
 src/gabo/internal/generator/data/lint-android.yaml           | 4 ++++
 src/gabo/internal/generator/data/lint-docker.yaml            | 4 ++++
 src/gabo/internal/generator/data/lint-github-actions.yaml    | 4 ++++
 src/gabo/internal/generator/data/lint-go-incomplete.yaml     | 4 ++++
 src/gabo/internal/generator/data/lint-html.yaml              | 4 ++++
 src/gabo/internal/generator/data/lint-markdown.yaml          | 4 ++++
 src/gabo/internal/generator/data/lint-python.yaml            | 4 ++++
 src/gabo/internal/generator/data/lint-shell-script.yaml      | 4 ++++
 src/gabo/internal/generator/data/lint-solidity.yaml          | 4 ++++
 src/gabo/internal/generator/data/lint-yaml.yaml              | 4 ++++
 src/gabo/internal/generator/data/translate-android.yaml      | 5 +++++
 .../generator/data/validate-openapi-schema.incomplete.yaml   | 4 ++++
 .../internal/generator/data/validate-render-blueprint.yaml   | 4 ++++
 20 files changed, 81 insertions(+)

diff --git a/src/gabo/internal/generator/data/build-android-incomplete.yaml b/src/gabo/internal/generator/data/build-android-incomplete.yaml
index 0ceb4b8..728f2e0 100644
--- a/src/gabo/internal/generator/data/build-android-incomplete.yaml
+++ b/src/gabo/internal/generator/data/build-android-incomplete.yaml
@@ -27,6 +27,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   # Run locally with "act -j buildAndroid"
diff --git a/src/gabo/internal/generator/data/build-docker-incomplete.yaml b/src/gabo/internal/generator/data/build-docker-incomplete.yaml
index 9b6d0c9..75d2563 100644
--- a/src/gabo/internal/generator/data/build-docker-incomplete.yaml
+++ b/src/gabo/internal/generator/data/build-docker-incomplete.yaml
@@ -27,6 +27,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   buildDocker:
     runs-on: ubuntu-latest
diff --git a/src/gabo/internal/generator/data/build-npm-incomplete.yaml b/src/gabo/internal/generator/data/build-npm-incomplete.yaml
index 4752313..e745cfd 100644
--- a/src/gabo/internal/generator/data/build-npm-incomplete.yaml
+++ b/src/gabo/internal/generator/data/build-npm-incomplete.yaml
@@ -17,6 +17,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   buildNpm:
     runs-on: ubuntu-latest
diff --git a/src/gabo/internal/generator/data/build-yarn-incomplete.yaml b/src/gabo/internal/generator/data/build-yarn-incomplete.yaml
index 7bf3cc5..ca58536 100644
--- a/src/gabo/internal/generator/data/build-yarn-incomplete.yaml
+++ b/src/gabo/internal/generator/data/build-yarn-incomplete.yaml
@@ -17,6 +17,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   buildYarn:
     runs-on: ubuntu-latest
diff --git a/src/gabo/internal/generator/data/check-goreleaser-config.yaml b/src/gabo/internal/generator/data/check-goreleaser-config.yaml
index 7e2785a..7c88bfd 100644
--- a/src/gabo/internal/generator/data/check-goreleaser-config.yaml
+++ b/src/gabo/internal/generator/data/check-goreleaser-config.yaml
@@ -23,6 +23,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   checkGoReleaserConfig:
diff --git a/src/gabo/internal/generator/data/format-go.yaml b/src/gabo/internal/generator/data/format-go.yaml
index ab29a5c..19d8f12 100644
--- a/src/gabo/internal/generator/data/format-go.yaml
+++ b/src/gabo/internal/generator/data/format-go.yaml
@@ -18,6 +18,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   validateCodeFormatGo:
diff --git a/src/gabo/internal/generator/data/format-python.yaml b/src/gabo/internal/generator/data/format-python.yaml
index 212f18b..6ae05b3 100644
--- a/src/gabo/internal/generator/data/format-python.yaml
+++ b/src/gabo/internal/generator/data/format-python.yaml
@@ -18,6 +18,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   formatPython:
     runs-on: ubuntu-latest
diff --git a/src/gabo/internal/generator/data/lint-android.yaml b/src/gabo/internal/generator/data/lint-android.yaml
index 4359d33..0581c10 100644
--- a/src/gabo/internal/generator/data/lint-android.yaml
+++ b/src/gabo/internal/generator/data/lint-android.yaml
@@ -31,6 +31,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   lintAndroid:
diff --git a/src/gabo/internal/generator/data/lint-docker.yaml b/src/gabo/internal/generator/data/lint-docker.yaml
index 21da347..e2e0fc6 100644
--- a/src/gabo/internal/generator/data/lint-docker.yaml
+++ b/src/gabo/internal/generator/data/lint-docker.yaml
@@ -17,6 +17,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   # Run this locally with act - https://github.com/nektos/act
   # act -j lintDocker
diff --git a/src/gabo/internal/generator/data/lint-github-actions.yaml b/src/gabo/internal/generator/data/lint-github-actions.yaml
index 750affe..ae9e4ac 100644
--- a/src/gabo/internal/generator/data/lint-github-actions.yaml
+++ b/src/gabo/internal/generator/data/lint-github-actions.yaml
@@ -19,6 +19,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintGitHubActionsWithActionLint:
     runs-on: ubuntu-latest
diff --git a/src/gabo/internal/generator/data/lint-go-incomplete.yaml b/src/gabo/internal/generator/data/lint-go-incomplete.yaml
index 3863a25..ccddf27 100644
--- a/src/gabo/internal/generator/data/lint-go-incomplete.yaml
+++ b/src/gabo/internal/generator/data/lint-go-incomplete.yaml
@@ -18,6 +18,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   # Run it locally with https://github.com/nektos/act
diff --git a/src/gabo/internal/generator/data/lint-html.yaml b/src/gabo/internal/generator/data/lint-html.yaml
index 7f3edfe..eeeb714 100644
--- a/src/gabo/internal/generator/data/lint-html.yaml
+++ b/src/gabo/internal/generator/data/lint-html.yaml
@@ -19,6 +19,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   # Run this locally with act - https://github.com/nektos/act
diff --git a/src/gabo/internal/generator/data/lint-markdown.yaml b/src/gabo/internal/generator/data/lint-markdown.yaml
index 4692f8d..5c79bf1 100644
--- a/src/gabo/internal/generator/data/lint-markdown.yaml
+++ b/src/gabo/internal/generator/data/lint-markdown.yaml
@@ -19,6 +19,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintMarkdown:
     runs-on: ubuntu-latest
diff --git a/src/gabo/internal/generator/data/lint-python.yaml b/src/gabo/internal/generator/data/lint-python.yaml
index a361eb1..f27b766 100644
--- a/src/gabo/internal/generator/data/lint-python.yaml
+++ b/src/gabo/internal/generator/data/lint-python.yaml
@@ -22,6 +22,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintPython:
     runs-on: ubuntu-latest
diff --git a/src/gabo/internal/generator/data/lint-shell-script.yaml b/src/gabo/internal/generator/data/lint-shell-script.yaml
index f375764..e44c427 100644
--- a/src/gabo/internal/generator/data/lint-shell-script.yaml
+++ b/src/gabo/internal/generator/data/lint-shell-script.yaml
@@ -21,6 +21,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   lintShellScript:
diff --git a/src/gabo/internal/generator/data/lint-solidity.yaml b/src/gabo/internal/generator/data/lint-solidity.yaml
index debe26f..83829fa 100644
--- a/src/gabo/internal/generator/data/lint-solidity.yaml
+++ b/src/gabo/internal/generator/data/lint-solidity.yaml
@@ -16,6 +16,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   # Run it locally with https://github.com/nektos/act
diff --git a/src/gabo/internal/generator/data/lint-yaml.yaml b/src/gabo/internal/generator/data/lint-yaml.yaml
index 2b19ca9..ade5221 100644
--- a/src/gabo/internal/generator/data/lint-yaml.yaml
+++ b/src/gabo/internal/generator/data/lint-yaml.yaml
@@ -23,6 +23,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintYaml:
     runs-on: ubuntu-latest
diff --git a/src/gabo/internal/generator/data/translate-android.yaml b/src/gabo/internal/generator/data/translate-android.yaml
index 9821dcb..346a5a9 100644
--- a/src/gabo/internal/generator/data/translate-android.yaml
+++ b/src/gabo/internal/generator/data/translate-android.yaml
@@ -19,6 +19,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
+    # Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+    permissions:
+      contents: read
+      pull-requests: write
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
diff --git a/src/gabo/internal/generator/data/validate-openapi-schema.incomplete.yaml b/src/gabo/internal/generator/data/validate-openapi-schema.incomplete.yaml
index e6d548c..335526a 100644
--- a/src/gabo/internal/generator/data/validate-openapi-schema.incomplete.yaml
+++ b/src/gabo/internal/generator/data/validate-openapi-schema.incomplete.yaml
@@ -21,6 +21,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   # Run locally with "act -j validateOpenAPISchema"
diff --git a/src/gabo/internal/generator/data/validate-render-blueprint.yaml b/src/gabo/internal/generator/data/validate-render-blueprint.yaml
index 6b59ba9..9475567 100644
--- a/src/gabo/internal/generator/data/validate-render-blueprint.yaml
+++ b/src/gabo/internal/generator/data/validate-render-blueprint.yaml
@@ -21,6 +21,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   validateRenderBlueprint:
     runs-on: ubuntu-latest