build: add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>

PR-URL: #43743
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

.github/workflows/authors.yml

@@ -6,6 +6,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   authors_update:
     if: github.repository == 'nodejs/node'

.github/workflows/auto-start-ci.yml

@@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }}
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   get-prs-for-ci:
+    permissions:
+      pull-requests: read
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     outputs:
@@ -32,6 +37,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   start-ci:
+    permissions:
+      contents: read
+      pull-requests: write
     needs: get-prs-for-ci
     if: needs.get-prs-for-ci.outputs.numbers != ''
     runs-on: ubuntu-latest

.github/workflows/build-tarball.yml

@@ -31,6 +31,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   build-tarball:
     if: github.event.pull_request.draft == false

.github/workflows/build-windows.yml

@@ -26,6 +26,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   build-windows:
     if: github.event.pull_request.draft == false

.github/workflows/close-stale-feature-requests.yml

@@ -28,8 +28,14 @@ env:
     [feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
 # yamllint enable
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:

.github/workflows/close-stalled.yml

@@ -9,8 +9,14 @@ env:
     is still relevant, or to ping the collaborator who labelled it stalled if
     you have any questions.
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:

.github/workflows/comment-labeled.yml

@@ -11,8 +11,14 @@ env:
     If it should remain open, please leave a comment explaining why it should remain open.
   FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve.
 
+permissions:
+  contents: read
+
 jobs:
   stale-comment:
+    permissions:
+      issues: write
+      pull-requests: write
     if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled'
     runs-on: ubuntu-latest
     steps:
@@ -23,6 +29,8 @@ jobs:
         run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE"
 
   fast-track:
+    permissions:
+      pull-requests: write
     if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track'
     runs-on: ubuntu-latest
     steps:

.github/workflows/commit-lint.yml

@@ -5,6 +5,9 @@ on: [pull_request]
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   lint-commit-message:
     runs-on: ubuntu-latest

.github/workflows/commit-queue.yml

@@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }}
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   get_mergeable_prs:
+    permissions:
+      pull-requests: read
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     outputs:

.github/workflows/coverage-linux.yml

@@ -29,6 +29,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   coverage-linux:
     if: github.event.pull_request.draft == false

.github/workflows/coverage-windows.yml

@@ -31,6 +31,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   coverage-windows:
     if: github.event.pull_request.draft == false

.github/workflows/daily.yml

@@ -8,6 +8,9 @@ on:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   build-lto:
     runs-on: ubuntu-latest

.github/workflows/doc.yml

@@ -16,6 +16,9 @@ concurrency:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   build-docs:
     if: github.event.pull_request.draft == false

.github/workflows/find-inactive-collaborators.yml

@@ -10,6 +10,9 @@ on:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   find:
     if: github.repository == 'nodejs/node'

.github/workflows/find-inactive-tsc.yml

@@ -10,6 +10,9 @@ on:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   find:
     if: github.repository == 'nodejs/node'

.github/workflows/label-pr.yml

@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   label:
     runs-on: ubuntu-latest

.github/workflows/license-builder.yml

@@ -6,8 +6,14 @@ on:
     - cron: 0 0 * * 1
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_license:
+    permissions:
+      contents: write  # for gr2m/create-or-update-pull-request-action to push local changes
+      pull-requests: write  # for gr2m/create-or-update-pull-request-action to create a PR
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:

.github/workflows/linters.yml

@@ -17,6 +17,9 @@ env:
   PYTHON_VERSION: '3.10'
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   lint-addon-docs:
     if: github.event.pull_request.draft == false

.github/workflows/notify-force-push.yml

@@ -4,6 +4,9 @@ on:
       - main
 
 name: Notify on Force Push
+permissions:
+  contents: read
+
 jobs:
   slackNotification:
     name: Slack Notification

.github/workflows/test-asan.yml

@@ -33,6 +33,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   test-asan:
     if: github.event.pull_request.draft == false

.github/workflows/test-internet.yml

@@ -24,6 +24,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   test-internet:
     runs-on: ubuntu-latest

.github/workflows/test-linux.yml

@@ -26,6 +26,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   test-linux:
     if: github.event.pull_request.draft == false

.github/workflows/test-macos.yml

@@ -32,6 +32,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   test-macOS:
     if: github.event.pull_request.draft == false

.github/workflows/tools.yml

@@ -6,6 +6,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tools-deps-update:
     if: github.repository == 'nodejs/node'