GitHub Workflows security hardening (#2444)

* build: harden pypi-publish.yaml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden stale-issues.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden release-drafter.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden integration.yaml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
Co-authored-by: Chayim <chayim@users.noreply.github.com>

Author: sashashura

.github/workflows/integration.yaml

@@ -16,6 +16,9 @@ on:
   schedule:
     - cron: '0 1 * * *' # nightly build
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
 
    dependency-audit:

.github/workflows/pypi-publish.yaml

@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
 
   build_and_package:

.github/workflows/release-drafter.yml

@@ -6,8 +6,13 @@ on:
     branches:
       - master
 
+permissions: {}
 jobs:
   update_release_draft:
+    permissions:
+      pull-requests: write  #  to add label to PR (release-drafter/release-drafter)
+      contents: write  #  to create a github release (release-drafter/release-drafter)
+
     runs-on: ubuntu-latest
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"

.github/workflows/stale-issues.yml

@@ -3,8 +3,13 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+permissions: {}
 jobs:
   stale:
+    permissions:
+      issues: write  #  to close stale issues (actions/stale)
+      pull-requests: write  #  to close stale PRs (actions/stale)
+
     runs-on: ubuntu-latest
     steps:
     - uses: actions/stale@v3