[BUG]: Set minimal permissions to github workflows #4567
Description
Required prerequisites
- Make sure you've read the documentation. Your issue may be addressed there.
- Search the issue tracker and Discussions to verify that this hasn't already been reported. +1 or comment there if it has.
- Consider asking first in the Gitter chat room or in a Discussion.
What version (or hash if on master) of pybind11 are you using?
None
Problem description
Github grants, by default, write-all permission to all workflows, which allows an attacker to exploit this permissions in case of a compromised workflow. Thus, it is both a recommendation from the OpenSSF Scorecard and the Github itself to always use credentials that are minimally scoped.
This means setting the top level permission as contents: read (usually enough to most actions) or even read-all, and grant any write permission at the job level
Let me know if you are interested in this change and I'll submit the PR as soon as possible.
Context: I'm Joyce, working on behalf of Google and the OpenSSF to increase supply chain security in many open source projects.
Reproducible example code
You can see the permissions granted to a workflow run in the run log such as https://github.com/pybind/pybind11/actions/runs/4378748766/jobs/7663879679 in the `Set up job` -> `GITHUB_TOKEN Permissions`
Is this a regression? Put the last known working version here if it is.
Not a regression