really tighten permissions

Author: anthony-nhs

.github/workflows/dependabot-auto-approve-and-merge.yml

@@ -8,13 +8,13 @@ on:
             AUTOMERGE_PEM:
                 required: true
 
-permissions:
-    pull-requests: write
-    contents: write
-
+permissions: {}
 jobs:
     dependabot:
         runs-on: ubuntu-22.04
+        permissions:
+            pull-requests: write
+            contents: write
         if: (github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'eps-create-pull-request[bot]') && github.repository == github.event.pull_request.head.repo.full_name
         steps:
             - name: Get token from Github App

.github/workflows/get-repo-config.yml

@@ -39,6 +39,7 @@ on:
                 description: Resolved digest for the supplied image reference
                 value: ${{ jobs.verify_attestation.outputs.resolved_digest }}
 
+permissions: {}
 jobs:
     get_config_values:
         runs-on: ubuntu-22.04

.github/workflows/pr_title_check.yml

@@ -3,6 +3,7 @@ name: PR Title Check
 on:
     workflow_call:
 
+permissions: {}
 jobs:
     pr_title_format_check:
         runs-on: ubuntu-22.04

.github/workflows/sync_copilot.yml

@@ -5,6 +5,7 @@ on:
   schedule:
     - cron: "0 6 * * 1"
 
+permissions: {}
 jobs:
   sync-copilot-instructions:
     runs-on: ubuntu-22.04

.github/workflows/tag-release-devcontainer.yml

@@ -79,6 +79,8 @@ on:
             PYPI_TOKEN:
                 required: false
                 description: "PyPI token to publish packages"
+
+permissions: {}
 jobs:
     tag_release:
         permissions:

.github/workflows/update-dev-container-version.yml

@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   schedule:
     - cron: "0 6 * * 4"
+
 permissions: {}
 
 jobs: