ci: set minimal permissions to workflows (#7070)

diogoteles08 · krassowski · web-flow · commit 5a8c3ad31364 · 2023-09-25T10:45:23.000+02:00
* ci: set minimal permissions to workflows

Signed-off-by: Diogo Teles Sant'Anna &lt;diogoteles@google.com&gt;

* Fix trailing whitespace on playwright-update.yml

Co-authored-by: Michał Krassowski &lt;5832902+krassowski@users.noreply.github.com&gt;

---------

Signed-off-by: Diogo Teles Sant'Anna &lt;diogoteles@google.com&gt;
Co-authored-by: Michał Krassowski &lt;5832902+krassowski@users.noreply.github.com&gt;
diff --git a/.github/workflows/auto_author_assign.yml b/.github/workflows/auto_author_assign.yml
@@ -6,10 +6,12 @@ on:
     types: [opened, reopened]
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   assign-author:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: toshimaru/auto-author-assign@v1.6.2
diff --git a/.github/workflows/binder.yml b/.github/workflows/binder.yml
@@ -3,6 +3,9 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   binder:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,7 +8,7 @@ on:
     - cron: '0 0 * * *'
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
diff --git a/.github/workflows/buildutils.yml b/.github/workflows/buildutils.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   versioning:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-release.yml b/.github/workflows/check-release.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
diff --git a/.github/workflows/enforce-label.yml b/.github/workflows/enforce-label.yml
@@ -1,5 +1,8 @@
 name: Enforce PR label
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, edited, synchronize]
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -5,12 +5,14 @@ on:
     - cron: '0 0 * * *'
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
 
 jobs:
   lock:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: dessant/lock-threads@v4
         with:
diff --git a/.github/workflows/playwright-update.yml b/.github/workflows/playwright-update.yml
@@ -5,13 +5,14 @@ on:
     types: [created, edited]
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-snapshots:
     if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'update playwright snapshots') }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # Required by actions/update-snapshots
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/prep-release.yml b/.github/workflows/prep-release.yml
@@ -19,6 +19,8 @@ on:
         description: 'Use PRs with activity since the last stable git tag'
         required: false
         type: boolean
+permissions:
+  contents: read
 jobs:
   prep_release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -12,6 +12,9 @@ on:
         description: 'Comma separated list of steps to skip'
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   publish_release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml
@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
