ci: Add GitHub token permissions for workflows

[varunsh-coder]

Context

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows

• https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
• https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
• The Open Source Security Foundation (OpenSSF) Scorecards treats not setting token permissions as a high-risk issue

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Signed-off-by: Varun Sharma varunsh@stepsecurity.io

Contributor Checklist

• Review Contribution Guidelines
• Make sure that all commits are signed off to indicate that you agree to the terms of Developer Certificate of Origin.
• Make sure all contributed code can be distributed under the terms of the Apache License 2.0, e.g. the code was written by yourself or the original code is licensed under a license compatible to Apache License 2.0.
• Check "Allow edit from maintainers" option in pull request so that additional changes can be pushed by Gradle team
• Provide integration tests (under <subproject>/src/integTest) to verify changes from a user perspective
• Provide unit tests (under <subproject>/src/test) to verify logic
• Update User Guide, DSL Reference, and Javadoc for public-facing changes
• Ensure that tests pass sanity check: ./gradlew sanityCheck
• Ensure that tests pass locally: ./gradlew <changed-subproject>:quickTest

Gradle Core Team Checklist

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation
• Recognize contributor in release notes

[wolfs]

Thank you for your PR. I feel like the permissions you added won't be sufficient for some of the workflows. Can we/you somehow check if this would work?

[wolfs]

Does the gradle build action need more access than reading the contents?

[varunsh-coder]

Based on my code review of https://github.com/gradle/gradle-build-action, it does not use the GITHUB_TOKEN.

[blindpirate]

I wonder if github action needs to update the commit status, which requires write access. Anyway, we can start with strictest policy and adjust it later.

[blindpirate]

@bot-gradle test and merge

[bot-gradle]

No milestone for this PR. Please set a milestone and retry.

[blindpirate]

@bot-gradle test and merge

[bot-gradle]

OK, I've already triggered a build for you.