github: set top-level read-only workflow permissions (#6775)

pnacht · web-flow · commit eb46b7d427ee · 2023-11-09T15:59:21.000-08:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -8,16 +8,18 @@ on:
 
 permissions:
   contents: read
-  security-events: write
-  pull-requests: read
-  actions: read
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     timeout-minutes: 30
 
+    permissions:
+      security-events: write
+      pull-requests: read
+      actions: read
+
     strategy:
       fail-fast: false
 
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -1,5 +1,9 @@
 name: codecov
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   upload:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -6,12 +6,14 @@ on:
     - cron: '22 1 * * *'
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
 
 jobs:
   lock:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: dessant/lock-threads@v2
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   release:
     permissions:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -5,6 +5,9 @@ on:
   schedule:
   - cron: "44 */2 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     runs-on: ubuntu-latest
