ci: set minimal permissions to workflows (#7070)

* ci: set minimal permissions to workflows

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* Fix trailing whitespace on playwright-update.yml

Co-authored-by: Michał Krassowski <5832902+krassowski@users.noreply.github.com>

---------

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Co-authored-by: Michał Krassowski <5832902+krassowski@users.noreply.github.com>

.github/workflows/auto_author_assign.yml

@@ -6,10 +6,12 @@ on:
     types: [opened, reopened]
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   assign-author:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: toshimaru/auto-author-assign@v1.6.2

.github/workflows/binder.yml

@@ -3,6 +3,9 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   binder:
     runs-on: ubuntu-latest

.github/workflows/build.yml

@@ -8,7 +8,7 @@ on:
     - cron: '0 0 * * *'
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}

.github/workflows/buildutils.yml

@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   versioning:
     runs-on: ubuntu-latest

.github/workflows/check-release.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}

.github/workflows/enforce-label.yml

@@ -1,5 +1,8 @@
 name: Enforce PR label
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, edited, synchronize]

.github/workflows/lock.yml

@@ -5,12 +5,14 @@ on:
     - cron: '0 0 * * *'
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
 
 jobs:
   lock:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: dessant/lock-threads@v4
         with:

.github/workflows/playwright-update.yml

@@ -5,13 +5,14 @@ on:
     types: [created, edited]
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-snapshots:
     if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'update playwright snapshots') }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # Required by actions/update-snapshots
     strategy:
       fail-fast: false
       matrix:

.github/workflows/prep-release.yml

@@ -19,6 +19,8 @@ on:
         description: 'Use PRs with activity since the last stable git tag'
         required: false
         type: boolean
+permissions:
+  contents: read
 jobs:
   prep_release:
     runs-on: ubuntu-latest

.github/workflows/publish-release.yml

@@ -12,6 +12,9 @@ on:
         description: 'Comma separated list of steps to skip'
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   publish_release:
     runs-on: ubuntu-latest

.github/workflows/ui-tests.yml

@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build