GitHub Workflows security hardening (#6246)

Author: sashashura

.github/workflows/label-gun.yml

@@ -6,8 +6,13 @@ on:
   issue_comment:
     types: [created, edited, closed]
 
+permissions: {}
 jobs:
   label:
+    permissions:
+      issues: write # to add label to an issues (retorquere/label-gun)
+      pull-requests: write # to add label, comment on pull request (retorquere/label-gun)
+
     runs-on: ubuntu-latest
     steps:
       - uses: retorquere/label-gun@main

.github/workflows/merge.yaml

@@ -12,8 +12,13 @@ on:
         description: Commit message
         required: true
 
+permissions: {}
 jobs:
   release:
+    permissions:
+      contents: write # to create a release
+      pull-requests: read # to read pull requests (dorny/paths-filter)
+
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/sheldon.yaml

@@ -4,8 +4,13 @@ on:
   pull_request_target:
     types: [ opened, synchronize, workflow_dispatch]
 
+permissions: {}
 jobs:
   test:
+    permissions:
+      contents: write # to push code in repo (stefanzweifel/git-auto-commit-action)
+      pull-requests: write # to comment on pull requests
+
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"