chore(ci): microcks#97 Specify the most restrictive permissions

Signed-off-by: Laurent Broudoux <[email protected]>

Author: lbroudoux

.github/workflows/cicd.yml

@@ -24,6 +24,8 @@ permissions: read-all
 jobs:
   version:
     name: Define Version
+    permissions:
+      contents: read
     uses: ./.github/workflows/steps.dotnet-version.yml
     with:
       runs-on: ubuntu-latest

.github/workflows/steps.dotnet-build-test.yml

@@ -23,6 +23,8 @@
       publish-package:
         description: 'Publish package is enabled ?'
         value: ${{ jobs.build_test.outputs.publish-package }}
+permissions: read-all
+
 jobs:
   build_test:
     runs-on: ${{ inputs.runs-on }}

.github/workflows/steps.dotnet-nuget-publish.yml

@@ -8,6 +8,8 @@ on:
     secrets:
       NUGET_KEY:
         required: true
+permissions: read-all
+
 jobs:
   nuget-publish:
     if: ${{ github.event_name != 'pull_request' && github.repository == 'microcks/microcks-testcontainers-dotnet' }}

.github/workflows/steps.dotnet-version.yml

@@ -15,6 +15,8 @@
       majorMinorPatch:
         description: 'majorMinorPatch (gitversion)'
         value: ${{ jobs.define_version.outputs.majorMinorPatch }}
+permissions: read-all
+
 jobs:
   define_version:
     runs-on: ${{ inputs.runs-on }}

.github/workflows/steps.github-release-draft.yml

@@ -12,6 +12,9 @@
 jobs:
   release_drafter:
     if: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
+    permissions:
+      contents: write
+      deployments: write
     runs-on: ${{ inputs.runs-on }}
     steps:
     - name: 🔄 Checkout

.github/workflows/steps.publish-test-reporter.yml

@@ -5,6 +5,10 @@
         required: false
         type: string
         default: 'ubuntu-latest'
+permissions:
+  contents: read
+  actions: read
+  checks: write
 
 jobs:
   report: