Add GitHub token permissions for workflows (PowerShell#17781)

Signed-off-by: Varun Sharma <[email protected]>

Author: varunsh-coder

.github/workflows/codeql-analysis.yml

@@ -14,8 +14,15 @@ defaults:
 env:
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     name: Analyze
     runs-on: ubuntu-18.04
 

.github/workflows/createReminders.yml

@@ -4,8 +4,14 @@ on:
   issue_comment:
     types: [created, edited]
 
+permissions:
+  contents: read
+
 jobs:
   reminder:
+    permissions:
+      issues: write  # for agrc/create-reminder-action to set reminders on issues
+      pull-requests: write  # for agrc/create-reminder-action to set reminders on PRs
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/daily.yml

@@ -16,8 +16,14 @@ env:
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
   POWERSHELL_TELEMETRY_OPTOUT: 1
 
+permissions:
+  contents: read
+
 jobs:
   update-dotnet-preview:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update .NET preview
     timeout-minutes: 15
     runs-on: windows-latest
@@ -57,6 +63,9 @@ jobs:
           base: master
           branch: dotnet_update
   update-tpn:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update Notices File
     timeout-minutes: 15
     runs-on: windows-latest
@@ -97,6 +106,9 @@ jobs:
           draft: false
           branch: update-cgmanifest
   update-cgmanifest:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update cgmanifest
     timeout-minutes: 15
     runs-on: windows-latest

.github/workflows/exp-json.yml

@@ -16,6 +16,9 @@ env:
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
   POWERSHELL_TELEMETRY_OPTOUT: 1
 
+permissions:
+  contents: read
+
 jobs:
   create-expjson:
     strategy:
@@ -72,6 +75,9 @@ jobs:
           path: experimental-feature-*-new.json
 
   compare-expjson-files:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
     name: Compare experimental json files and create PR
     needs: create-expjson

.github/workflows/markdownLink.yml

@@ -5,6 +5,9 @@ on:
       - 'release/**'
 
 name: Check links for modified files
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest

.github/workflows/markdownLinkDaily.yml

@@ -9,6 +9,9 @@ on:
   # At 13:00 UTC every day.
   - cron:  '0 13 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest

.github/workflows/processReminders.yml

@@ -5,8 +5,14 @@ on:
     - cron: '*/15 * * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   reminder:
+    permissions:
+      issues: write  # for agrc/reminder-action to set reminders on issues
+      pull-requests: write  # for agrc/reminder-action to set reminders on PRs
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/rebase.yml

@@ -5,8 +5,14 @@ on:
   issue_comment:
     types: [created]
 name: Automatic Rebase
+permissions:
+  contents: read
+
 jobs:
   rebase:
+    permissions:
+      contents: write  # for cirrus-actions/rebase to push code to rebase
+      pull-requests: write  # for actions/github-script to create PR comment
     name: Rebase
     if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
     runs-on: ubuntu-latest