Merge pull request #1073 from incertum/chore/workflow-permissions

chore: restrict GitHub workflow permissions - future-proof

Author: bnbarham

.github/workflows/auto_update_version.yml

@@ -1,5 +1,8 @@
 name: Update PrintVersion on release branch creation
 
+permissions:
+  contents: read
+
 on:
   create
 

.github/workflows/automerge.yml

@@ -1,6 +1,8 @@
 name: Create PR to merge main into release branch
 # In the first period after branching the release branch, we typically want to include all changes from `main` also in the release branch. This workflow automatically creates a PR every Monday to merge main into the release branch.
 # Later in the release cycle we should stop this practice to avoid landing risky changes by disabling this workflow. To do so, disable the workflow as described in https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow
+permissions:
+  contents: read
 on:
   schedule:
     - cron: '0 9 * * MON'

.github/workflows/publish_release.yml

@@ -1,5 +1,8 @@
 name: Publish Release
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:

.github/workflows/pull_request.yml

@@ -3,6 +3,9 @@ name: Pull request
 # PRs created by GitHub Actions don't kick off further actions (https://github.com/peter-evans/create-pull-request/blob/d57e551ebc1a16dee0b8c9ea6d24dba7627a6e35/docs/concepts-guidelines.md#triggering-further-workflow-runs).
 # As a workaround, we mark automerge PRs that are created by GitHub actions as draft and trigger the GitHub actions by marking the PR as ready for review. We'd prefer not re-triggering testing on a normal user's PR in this case, but skipping them causes the checks to reset.
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, reopened, synchronize, ready_for_review]