Restrict GitHub Actions permissions

[bluetech]

There is now some functionality for restricting workflow permissions: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

Given the recent CodeCov trouble this sounds like a good idea.

I suggest we enable this setting for the repository, and specify needed permissions for specific workflow files. It might cause some failed runs initially but should be easily fixed.

Another thing we can do is to specify persist-credentials for the actions/checkout action when it's not needed.

[bluetech]

Status:

• Updated the permissions in main
• Stopped using tokens in secrets
• Backported to the stable branch
• Changed the repo settings to default read-only permissions

I suggest we wait until the next release and see if it works well, then delete the secrets from the repo and possibly revoke them.

I'll repoen to track this.

[RonnyPfannschmidt]

👍 thanks !!

[The-Compiler]

@bluetech So from what I'm gathering, there's nothing left to do here before the next feature release, this is just to keep track if things work out fine during the release?

[bluetech]

Right, this is just for tracking. I hope these changes won't interrupt the release -- I think I covered everything, but if not, I'll try to follow the notifications and help.

[The-Compiler]

Well, looks like it did interrupt the release 😅 It fails with:

remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/pytest-dev/pytest.git/'
Traceback (most recent call last):
  File "scripts/prepare-release-pr.py", line 152, in <module>
    main()
  File "scripts/prepare-release-pr.py", line 143, in main
    prepare_release_pr(
  File "scripts/prepare-release-pr.py", line 93, in prepare_release_pr
    run(
  File "/opt/hostedtoolcache/Python/3.8.10/x64/lib/python3.8/subprocess.py", line 516, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['git', 'push', '***github.com/pytest-dev/pytest.git', 'HEAD:release-7.0.0rc1', '--force']' returned non-zero exit status 128.

I think we probably shouldn't be doing persist-credentials: false for prepare-release-pr.yml?

[The-Compiler]

Opening the PR worked now. Still keeping this open until we actually manage to get a release fully published.