Restrict GITHUB_TOKEN permissions on GitHub Actions

.github/workflows/add-release-pongo.yml

@@ -5,6 +5,8 @@ on:
     tags:
     - '[1-9]+.[0-9]+.[0-9]+'
 
+permissions: read-all
+
 jobs:
   set_vars:
     name: Set Vars

.github/workflows/ast-grep.yml

@@ -10,6 +10,8 @@ on:
       # globs for files that we want to check with ast-grep here
       - '**/*.lua'
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

.github/workflows/autodocs.yml

@@ -16,6 +16,9 @@ on:
         description: "Ignore the build cache and build dependencies from scratch"
         type: boolean
         default: false
+
+permissions: read-all
+
 jobs:
   build:
     name: Build dependencies

.github/workflows/backport-fail-bot.yml

@@ -4,6 +4,8 @@ on:
   issue_comment:
     types: [created]
 
+permissions: read-all
+
 jobs:
   check_comment:
     runs-on: ubuntu-latest

.github/workflows/build.yml

@@ -10,6 +10,8 @@ on:
         description: 'Computed cache key, used for restoring cache in other workflows'
         value: ${{ jobs.build.outputs.cache-key }}
 
+permissions: read-all
+
 env:
   BUILD_ROOT: ${{ github.workspace }}/${{ inputs.relative-build-root }}
 

.github/workflows/build_and_test.yml

@@ -25,6 +25,8 @@ on:
         type: boolean
         default: false
 
+permissions: read-all
+
 # cancel previous runs if new commits are pushed to the PR, but run for each commit on master
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

.github/workflows/buildifier.yml

@@ -17,6 +17,8 @@ on:
     - master
     - release/*
 
+permissions: read-all
+
 jobs:
 
   autoformat:

.github/workflows/changelog-requirement.yml

@@ -9,6 +9,8 @@ on:
       - '.requirements'
       - 'changelog/**'
 
+permissions: read-all
+
 jobs:
   require-changelog:
     if: ${{ !contains(github.event.*.labels.*.name, 'skip-changelog') }}

.github/workflows/changelog-validation.yml

@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [ opened, synchronize ]
 
+permissions: read-all
+
 jobs:
   validate-changelog:
     name: Validate changelog

.github/workflows/community-stale.yml

@@ -3,6 +3,8 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions: read-all
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest

.github/workflows/copyright-check.yml

@@ -3,6 +3,8 @@ name: Detect Unexpected EE Changes
 on:
   pull_request:
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}

.github/workflows/label-check.yml

@@ -2,6 +2,9 @@ name: Pull Request Label Checker
 on:
   pull_request:
     types: [opened, edited, synchronize, labeled, unlabeled]
+
+permissions: read-all
+
 jobs:
   check-labels:
     name: prevent merge labels

.github/workflows/label-schema.yml

@@ -2,6 +2,9 @@ name: Pull Request Schema Labeler
 on:
   pull_request:
     types: [opened, edited, labeled, unlabeled]
+
+permissions: read-all
+
 jobs:
   schema-change-labels:
     if: "${{ contains(github.event.*.labels.*.name, 'schema-change-noteworthy') }}"

.github/workflows/labeler-v2.yml

@@ -2,6 +2,8 @@ name: "Pull Request Labeler v2"
 on:
 - pull_request
 
+permissions: read-all
+
 jobs:
   labeler:
     if: ${{ !github.event.pull_request.head.repo.fork }}

.github/workflows/openresty-patches-companion.yml

@@ -4,6 +4,8 @@ on:
     paths:
     - 'build/openresty/patches/**'
 
+permissions: read-all
+
 jobs:
   create-pr:
     runs-on: ubuntu-latest

.github/workflows/perf.yml

@@ -6,6 +6,8 @@ on:
   # don't know the timezone but it's daily at least
   - cron:  '0 7 * * *'
 
+permissions: read-all
+
 env:
   terraform_version: '1.2.4'
   HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}

.github/workflows/release.yml

@@ -26,6 +26,8 @@ on:  # yamllint disable-line rule:truthy
         required: true
         type: string
 
+permissions: read-all
+
 # `commit-ly` is a flag that indicates whether the build should be run per commit.
 
 env:

.github/workflows/update-ngx-wasm-module.yml

@@ -6,6 +6,8 @@ on:
   # run weekly
   - cron: '0 0 * * 0'
 
+permissions: read-all
+
 jobs:
   update:
     runs-on: ubuntu-22.04

.github/workflows/update-test-runtime-statistics.yml

@@ -8,6 +8,8 @@ on:
     branches:
       - feat/test-run-scheduler
 
+permissions: read-all
+
 jobs:
   process-statistics:
     name: Download statistics from GitHub and combine them

.github/workflows/upgrade-tests.yml

@@ -19,6 +19,9 @@ on:
     - release/*
     - test-please/*
   workflow_dispatch:
+
+permissions: read-all
+
 # cancel previous runs if new commits are pushed to the PR, but run for each commit on master
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}