Merge pull request #770 from martin-schulze-vireso/feature/further_ci…

…_hardening

CI: Restrict permissions further

.github/workflows/release.yml

@@ -4,6 +4,9 @@ on:
   release: { types: [published] }
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   npmjs:
     runs-on: ubuntu-latest
@@ -18,6 +21,8 @@ jobs:
 
   github-npm:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1

.github/workflows/release_dockerhub.yml

@@ -14,6 +14,8 @@ permissions:
 jobs:
     dockerhub:
         runs-on: ubuntu-latest
+        permissions: 
+          packages: write
         steps:
         - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 

.github/workflows/tests.yml

@@ -3,6 +3,9 @@ name: Tests
 # Controls when the action will run.
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     runs-on: ubuntu-20.04
@@ -276,9 +279,6 @@ jobs:
 
   coverage:
     runs-on: ubuntu-20.04
-    permissions:
-      pull-requests: write
-      issues: write
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - run: |

docs/CHANGELOG.md

@@ -13,7 +13,7 @@ The format is based on [Keep a Changelog][kac] and this project adheres to
 
 ### Added
 
-* hardened CI scripts by using hashes instead of versions for actions (#754)
+* hardened CI scripts by using hashes instead of versions for actions and restricting permissions (#754, #770)
 * add security.md (#762)
 * add codespell CI checks (#720)