Merge branch 'main' into ci/add-scorecard-and-dependency-review-workflows

Author: lwjohnst86

.cz.toml

@@ -2,3 +2,5 @@
 bump_message = "build(version): :bookmark: update version from $current_version to $new_version [skip ci]"
 update_changelog_on_bump = true
 version_provider = "uv"
+# Don't regenerate the changelog on every update
+changelog_incremental = true

.github/workflows/add-to-project.yml

@@ -11,12 +11,14 @@ on:
       - reopened
       - opened
 
-permissions:
-  pull-requests: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   add-to-project:
     uses: seedcase-project/.github/.github/workflows/reusable-add-to-project.yml@main
+    permissions:
+      pull-requests: write
     with:
       board-number: 18
       app-id: ${{ vars.ADD_TO_BOARD_APP_ID }}

.github/workflows/build-package.yml

@@ -21,9 +21,12 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   build:
     uses: seedcase-project/.github/.github/workflows/reusable-build-python.yml@main
+    # Permissions needed for pushing to the coverage branch.
+    permissions:
+      contents: write

.github/workflows/sync-files.yml

@@ -5,6 +5,9 @@ on:
       - main
   workflow_dispatch:
 
+# Limit token permissions for security
+permissions: read-all
+
 jobs:
   sync:
     uses: seedcase-project/.github/.github/workflows/reusable-sync-files.yml@main

.github/workflows/update-version.yml

@@ -5,11 +5,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   update-version:
+    # Only give permissions for this job.
+    permissions:
+      contents: write
     uses: seedcase-project/.github/.github/workflows/reusable-update-python-project-version.yml@main
     with:
       app-id: ${{ vars.UPDATE_VERSION_APP_ID }}