From ec1c82cb2da25adc5f9ee638db66a88c0fbb380b Mon Sep 17 00:00:00 2001
From: Simon Gerber <simon.gerber@vshn.ch>
Date: Wed, 3 Jun 2026 10:01:58 +0200
Subject: [PATCH 1/2] Reduce permissions for GitHub actions tokens

---
 .github/workflows/build-virtualenv-caches.yml | 2 ++
 .github/workflows/cleanup-pr-tag.yml          | 3 +++
 .github/workflows/publish-pypi.yml            | 2 ++
 .github/workflows/test.yml                    | 2 ++
 4 files changed, 9 insertions(+)

diff --git a/.github/workflows/build-virtualenv-caches.yml b/.github/workflows/build-virtualenv-caches.yml
index 343a6f0d7..f237a1eae 100644
--- a/.github/workflows/build-virtualenv-caches.yml
+++ b/.github/workflows/build-virtualenv-caches.yml
@@ -9,6 +9,8 @@ on:
   schedule:
     - cron: '0 4 * * MON'
 
+permissions: {}
+
 jobs:
   build-lint-virtualenvs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cleanup-pr-tag.yml b/.github/workflows/cleanup-pr-tag.yml
index 3b345cc8b..4a5edf448 100644
--- a/.github/workflows/cleanup-pr-tag.yml
+++ b/.github/workflows/cleanup-pr-tag.yml
@@ -6,6 +6,9 @@ name: Delete closed PR container image tag
     types:
       - closed
 
+permissions:
+  packages: write
+
 jobs:
   cleanup-pr-tag:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 610fdad49..b895dc25b 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -10,6 +10,8 @@ on:
     branches:
     - master
 
+permissions: {}
+
 jobs:
   build-and-publish:
     # Skip job on forks
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8135c8b63..f9ee4b9a6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,6 +4,8 @@ on:
     branches:
     - master
 
+permissions: {}
+
 jobs:
   lints:
     runs-on: ubuntu-latest

From 7fe681097a0150ef669aeb919808e95a2aa05300 Mon Sep 17 00:00:00 2001
From: Simon Gerber <simon.gerber@vshn.ch>
Date: Wed, 3 Jun 2026 10:15:47 +0200
Subject: [PATCH 2/2] Refactor `test_install_jb` to not assert time delta

---
 tests/test_tools.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/test_tools.py b/tests/test_tools.py
index ea2551f0d..a21f6abe7 100644
--- a/tests/test_tools.py
+++ b/tests/test_tools.py
@@ -5,7 +5,7 @@
 import stat
 import sys
 
-from datetime import datetime, timedelta
+from datetime import datetime
 from pathlib import Path
 from typing import Optional
 from unittest.mock import patch, MagicMock
@@ -276,6 +276,7 @@ def test_install_jb(config: Config, fs, capsys):
     config.managed_tools = {}
     _setup_tool_github_responses()
     assert not tools.MANAGED_TOOLS_PATH.exists()
+    before_install = datetime.now().replace(microsecond=0)
 
     tools.install_tool(config, "jb", None)
 
@@ -299,7 +300,10 @@ def test_install_jb(config: Config, fs, capsys):
     assert len(state) == 1
     assert "jb" in state
     updated = datetime.fromisoformat(state["jb"])
-    assert datetime.now() - updated < timedelta(seconds=1)
+    # NOTE(sg): we're not checking timedelta here, instead we're verifying that the updated
+    # timestamp is between now and before we installed the tool.
+    assert datetime.now() > updated
+    assert updated >= before_install
 
 
 @pytest.mark.skipif(