Set permissions for Github Actions

Author: dolfinus

.github/workflows/automerge.yml

@@ -9,6 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'pre-commit-ci[bot]' || github.event.pull_request.user.login == 'dependabot[bot]'
 
+    permissions:
+      contents: read
+      pull-requests: write
+
     steps:
       - uses: alexwilson/[email protected]
         with:
@@ -21,6 +25,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'pre-commit-ci[bot]' || github.event.pull_request.user.login == 'dependabot[bot]'
 
+    permissions:
+      contents: read
+      pull-requests: write
+
     steps:
       - uses: hmarr/auto-approve-action@v4
         with:

.github/workflows/cache-cleanup.yml

@@ -8,6 +8,7 @@ on:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+
     permissions:
       # `actions:write` permission is required to delete caches
       #  See also: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#delete-a-github-actions-cache-for-a-repository-using-a-cache-id

.github/workflows/changelog.yml

@@ -16,8 +16,11 @@ jobs:
   check-changelog:
     name: Changelog Entry Check
     runs-on: ubuntu-latest
-    timeout-minutes: 10
     if: "!contains(github.event.pull_request.labels.*.name, 'ci:skip-changelog') && github.event.pull_request.user.login != 'pre-commit-ci[bot]' && github.event.pull_request.user.login != 'dependabot[bot]'"
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

.github/workflows/codeql-analysis.yml

@@ -21,6 +21,7 @@ jobs:
   linters:
     name: Linters
     runs-on: ubuntu-latest
+
     permissions:
       actions: read
       contents: read

.github/workflows/dev-release.yaml

@@ -24,8 +24,10 @@ jobs:
     environment:
       name: test-pypi
       url: https://test.pypi.org/project/data-syncmaster/
+
     permissions:
       id-token: write # to auth in Test PyPI
+      contents: read
 
     steps:
       - name: Checkout code

.github/workflows/release.yaml

@@ -17,6 +17,7 @@ jobs:
     environment:
       name: pypi
       url: https://pypi.org/p/data-syncmaster
+
     permissions:
       id-token: write # to auth in PyPI
       contents: write # to create Github release

.github/workflows/repo-labels-sync.yml

@@ -16,6 +16,12 @@ on:
 jobs:
   labeler:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      issues: write # to update repo labels
+      pull-requests: write # to update repo labels
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/scheduler_docker_image.yml

@@ -21,6 +21,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'MobileTeleSystems/syncmaster'  # prevent running on forks
 
+    permissions:
+      contents: read
+
     steps:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

.github/workflows/server_docker_image.yml

@@ -21,6 +21,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'MobileTeleSystems/syncmaster'  # prevent running on forks
 
+    permissions:
+      contents: read
+
     steps:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

.github/workflows/tests.yml

@@ -15,6 +15,9 @@ concurrency:
 env:
   DEFAULT_PYTHON: '3.13'
 
+permissions:
+  contents: read
+
 jobs:
   oracle_tests:
     name: Oracle tests