ci: reduce workflow permissions

Decrease security exposure by restricting what the code executing in the
actions is allowed to do (in terms of GitHub operations).

Author: bluetech

.github/workflows/main.yml

@@ -13,13 +13,19 @@ on:
     branches:
       - main
       - "[0-9]+.[0-9]+.x"
+
 env:
   PYTEST_ADDOPTS: "--color=yes"
 
+# Set permissions at the job level.
+permissions: {}
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 30
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -139,10 +145,13 @@ jobs:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
+
     - name: Set up Python ${{ matrix.python }}
       uses: actions/setup-python@v2
       with:
         python-version: ${{ matrix.python }}
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
@@ -164,49 +173,67 @@ jobs:
 
   linting:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
+
     - uses: actions/setup-python@v2
+
     - name: set PY
       run: echo "name=PY::$(python -c 'import hashlib, sys;print(hashlib.sha256(sys.version.encode()+sys.executable.encode()).hexdigest())')" >> $GITHUB_ENV
+
     - uses: actions/cache@v2
       with:
         path: ~/.cache/pre-commit
         key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install tox
+
     - run: tox -e linting
 
   deploy:
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags') && github.repository == 'pytest-dev/pytest'
 
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
 
     needs: [build]
 
     steps:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
+
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
         python-version: "3.7"
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install --upgrade wheel setuptools tox
+
     - name: Build package
       run: |
         python setup.py sdist bdist_wheel
+
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@master
       with:
         user: __token__
         password: ${{ secrets.pypi_token }}
+
     - name: Publish GitHub release notes
       env:
         GH_RELEASE_NOTES_TOKEN: ${{ secrets.release_notes }}

.github/workflows/prepare-release-pr.yml

@@ -12,14 +12,20 @@ on:
         required: true
         default: 'no'
 
+# Set permissions at the job level.
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v2

.github/workflows/release-on-comment.yml

@@ -7,25 +7,33 @@ on:
   issue_comment:
     types: [created, edited]
 
+# Set permissions at the job level.
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please'))
 
     steps:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
         python-version: "3.8"
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install --upgrade setuptools tox
+
     - name: Prepare release
       run: |
         tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ secrets.chatops }}

.github/workflows/update-plugin-list.yml

@@ -7,22 +7,35 @@ on:
     - cron: '0 0 * * 0'
   workflow_dispatch:
 
+# Set permissions at the job level.
+permissions: {}
+
 jobs:
   createPullRequest:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
       - name: Setup Python
         uses: actions/setup-python@v2
         with:
           python-version: 3.8
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install packaging requests tabulate[widechars]
+
       - name: Update Plugin List
         run: python scripts/update-plugin-list.py
+
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@2455e1596942c2902952003bbb574afbbe2ab2e6
         with: