build: tweak permissions and use fine-grained PAT

---
type: pre_commit_static_analysis_report
description: Results of running static analysis checks when committing changes.
report:
  - task: lint_filenames
    status: passed
  - task: lint_editorconfig
    status: passed
  - task: lint_markdown
    status: na
  - task: lint_package_json
    status: na
  - task: lint_repl_help
    status: na
  - task: lint_javascript_src
    status: na
  - task: lint_javascript_cli
    status: na
  - task: lint_javascript_examples
    status: na
  - task: lint_javascript_tests
    status: na
  - task: lint_javascript_benchmarks
    status: na
  - task: lint_python
    status: na
  - task: lint_r
    status: na
  - task: lint_c_src
    status: na
  - task: lint_c_examples
    status: na
  - task: lint_c_benchmarks
    status: na
  - task: lint_c_tests_fixtures
    status: na
  - task: lint_shell
    status: na
  - task: lint_typescript_declarations
    status: na
  - task: lint_typescript_tests
    status: na
  - task: lint_license_headers
    status: passed
---

---
type: pre_push_report
description: Results of running various checks prior to pushing changes.
report:
  - task: run_javascript_examples
    status: na
  - task: run_c_examples
    status: na
  - task: run_cpp_examples
    status: na
  - task: run_javascript_readme_examples
    status: na
  - task: run_c_benchmarks
    status: na
  - task: run_cpp_benchmarks
    status: na
  - task: run_fortran_benchmarks
    status: na
  - task: run_javascript_benchmarks
    status: na
  - task: run_julia_benchmarks
    status: na
  - task: run_python_benchmarks
    status: na
  - task: run_r_benchmarks
    status: na
  - task: run_javascript_tests
    status: na
---

Author: Planeshifter

.github/workflows/do_not_merge.yml

@@ -43,8 +43,7 @@ jobs:
 
     # Define job permissions:
     permissions:
-      contents: read
-      pull-requests: write
+      pull-requests: read
 
     # Define the type of virtual host machine:
     runs-on: ubuntu-latest

.github/workflows/first_time_greeting.yml

@@ -24,8 +24,8 @@ on: [pull_request_target, issues]
 
 # Global permissions:
 permissions:
-  # Allow read-only access to the repository contents:
-  contents: read
+  # Do not give the workflow any permissions:
+  contents: none
 
 # Workflow jobs:
 jobs:
@@ -47,7 +47,7 @@ jobs:
         # Pin action to full length commit SHA
         uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0
         with:
-          repo-token: ${{ secrets.CHATBOT_GITHUB_TOKEN }}
+          repo-token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }}
           issue-message: |
             :wave: Hi there! :wave:
 

.github/workflows/make.yml

@@ -64,6 +64,9 @@ jobs:
 
           # Specify whether to download Git-LFS files:
           lfs: false
+
+          # Avoid storing GitHub token in local Git configuration:
+          persist-credentials: false
         timeout-minutes: 10
 
       # Install Node.js:

.github/workflows/markdown_equations.yml

@@ -64,6 +64,9 @@ jobs:
 
           # Specify whether to download Git-LFS files:
           lfs: false
+
+          # Avoid storing GitHub token in local Git configuration:
+          persist-credentials: false
         timeout-minutes: 10
 
       # Install Node.js:
@@ -103,7 +106,6 @@ jobs:
           git_user_signingkey: true
           git_commit_gpgsign: true
 
-
       # Generate list of changed Markdown files:
       - name: 'Find changed Markdown files'
         run: |
@@ -161,7 +163,7 @@ jobs:
           commit-message: 'docs: update Markdown equation elements'
           committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>'
           signoff: true
-          token: ${{ secrets.PULL_REQUEST_TOKEN }}
+          token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }}
           labels: |
             documentation
             automated-pr

.github/workflows/markdown_links.yml

@@ -76,6 +76,9 @@ jobs:
 
           # Specify whether to download Git-LFS files:
           lfs: false
+
+          # Avoid storing GitHub token in local Git configuration:
+          persist-credentials: false
         timeout-minutes: 10
 
       # Initialize log files:

.github/workflows/markdown_pkg_urls.yml

@@ -70,6 +70,10 @@ jobs:
 
           # Specify whether to download Git-LFS files:
           lfs: false
+
+          # Avoid storing GitHub token in local Git configuration:
+          persist-credentials: false
+
         timeout-minutes: 10
 
       # Install Node.js:
@@ -131,7 +135,7 @@ jobs:
           fi
         timeout-minutes: 10
 
-     # Create a pull request with the changes:
+      # Create a pull request with the changes:
       - name: 'Create pull request'
         id: cpr
         if: steps.update-markdown-pkg-urls.outputs.changed == 'true'
@@ -147,7 +151,7 @@ jobs:
           commit-message: 'docs: update Markdown stdlib package URLs'
           committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>'
           signoff: true
-          token: ${{ secrets.PULL_REQUEST_TOKEN }}
+          token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }}
           labels: |
             documentation
             automated-pr

.github/workflows/markdown_related_packages.yml

@@ -68,6 +68,9 @@ jobs:
 
           # Specify whether to download Git-LFS files:
           lfs: false
+
+          # Avoid storing GitHub token in local Git configuration:
+          persist-credentials: false
         timeout-minutes: 10
 
       # Install Node.js:
@@ -159,7 +162,7 @@ jobs:
           commit-message: 'docs: update related packages sections'
           committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>'
           signoff: true
-          token: ${{ secrets.PULL_REQUEST_TOKEN }}
+          token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }}
           labels: |
             documentation
             automated-pr

.github/workflows/markdown_src_attributes.yml

@@ -23,7 +23,7 @@ name: markdown_src_attributes
 on:
   schedule:
     # Run the workflow once a month on the 1st day of every month:
-    - cron:  "0 0 1 * *"
+    - cron: '0 0 1 * *'
 
   # Allow the workflow to be manually run:
   workflow_dispatch:
@@ -73,6 +73,9 @@ jobs:
 
           # Specify whether to download Git-LFS files:
           lfs: false
+
+          # Avoid storing GitHub token in local Git configuration:
+          persist-credentials: false
         timeout-minutes: 10
 
       # Initialize log files:

.github/workflows/markdown_tocs.yml

@@ -64,6 +64,9 @@ jobs:
 
           # Specify whether to download Git-LFS files:
           lfs: false
+
+          # Avoid storing GitHub token in local Git configuration:
+          persist-credentials: false
         timeout-minutes: 10
 
       # Install Node.js:
@@ -129,7 +132,7 @@ jobs:
           commit-message: 'docs: update namespace table of contents'
           signoff: true
           committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>'
-          token: ${{ secrets.PULL_REQUEST_TOKEN }}
+          token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }}
           labels: |
             documentation
             automated-pr

.github/workflows/namespace_declarations.yml

@@ -64,6 +64,9 @@ jobs:
 
           # Specify whether to download Git-LFS files:
           lfs: false
+
+          # Avoid storing GitHub token in local Git configuration:
+          persist-credentials: false
         timeout-minutes: 10
 
       # Install Node.js:
@@ -124,7 +127,7 @@ jobs:
           commit-message: 'feat: update namespace TypeScript declarations'
           committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>'
           signoff: true
-          token: ${{ secrets.PULL_REQUEST_TOKEN }}
+          token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }}
           labels: |
             documentation
             automated-pr