chore: update top level workflow permissions (#1848)

.github/workflows/codacy-analysis.yml

@@ -17,6 +17,11 @@ on:
   schedule:
     - cron: '15 16 * * 2'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   codacy-security-scan:
     # Cancel other workflows that are running for the same branch

.github/workflows/codeql.yml

@@ -20,6 +20,11 @@ on:
   schedule:
     - cron: '44 20 * * 0'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/issue-comment-test.yml

@@ -1,4 +1,8 @@
 name: Issue Comment Test
+
+permissions:
+   contents: read
+
 on:
   issue_comment:
 

.github/workflows/manual-test.yml

@@ -1,5 +1,8 @@
 name: Manual Test
 
+permissions:
+   contents: read
+
 on:
   workflow_dispatch:
 

.github/workflows/matrix-test.yml

@@ -1,5 +1,8 @@
 name: Matrix Test
 
+permissions:
+   contents: read
+
 on:
   workflow_dispatch:
   pull_request:

.github/workflows/multi-job-test.yml

@@ -1,5 +1,8 @@
 name: Multi Job Test
 
+permissions:
+   contents: read
+
 on:
   push:
     branches:
@@ -8,9 +11,6 @@ on:
     branches:
       - "**"
 
-permissions:
-  contents: read
-
 jobs:
   changed-files:
     name: Get changed files

.github/workflows/sync-release-version.yml

@@ -1,4 +1,9 @@
-name: Update release version.
+name: Update release version
+
+permissions:
+   contents: read
+   pull-requests: write
+
 on:
   release:
     types: [published]

.github/workflows/test.yml

@@ -1,5 +1,9 @@
 name: CI
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   push:
     branches:

.github/workflows/update-readme.yml

@@ -1,5 +1,9 @@
 name: Format README.md
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   push:
     branches:

.github/workflows/workflow-run-test.yml

@@ -4,6 +4,9 @@ on:
     workflows: [Matrix Test]
     types: [completed]
 
+permissions:
+  contents: read
+
 jobs:
   on-success:
     runs-on: ubuntu-latest