GitHub Workflows security hardening (#12745)

* build: harden gradle.yml permissions

Signed-off-by: Alex <[email protected]>

* build: harden retry-release.yml permissions

Signed-off-by: Alex <[email protected]>

* build: harden release-notes.yml permissions

Signed-off-by: Alex <[email protected]>

* build: harden release.yml permissions

Signed-off-by: Alex <[email protected]>

Signed-off-by: Alex <[email protected]>

Author: sashashura

.github/workflows/gradle.yml

@@ -11,8 +11,16 @@ on:
       - '[4-9]+.[0-9]+.x'
       - '[3-9]+.[3-9]+.x'
   workflow_dispatch:
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      checks: write  #  to publish result as PR check (scacap/action-surefire-report)
+
     runs-on: ubuntu-latest
     strategy:
       matrix:

.github/workflows/release-notes.yml

@@ -8,6 +8,10 @@ on:
       - '[4-9]+.[0-9]+.x'
       - '[3-9]+.[3-9]+.x'
   workflow_dispatch:
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   release_notes:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -2,8 +2,13 @@ name: Release
 on:
   release:
     types: [published]
+permissions: {}
 jobs:
   release:
+    permissions:
+      contents: write  #  to create release
+      issues: write  #  to modify milestones
+
     runs-on: ubuntu-latest
     strategy:
       matrix:

.github/workflows/retry-release.yml

@@ -8,8 +8,13 @@ on:
       target_branch:
         description: The Target Branch (e.g. 5.0.x)
         required: true
+permissions: {}
 jobs:
   release:
+    permissions:
+      contents: write  #  to create release
+      issues: read  #  to get closed issues
+
     runs-on: ubuntu-latest
     strategy:
       matrix: