add permissions to github workflows (#9746)

* add permissions to github workflows

update all the github workflows to specify the set of permissions
they require, ensuring that each workflow includes the least privileges
it required to complete the task

* added comments for write permissions

* fix wrong write permissions set

* update wrong comments

* update wrong write permissions

Author: dario-piotrowicz

.github/workflows/c3-dependabot-versioning-prs.yml

@@ -4,6 +4,11 @@ on:
     paths:
       - "packages/create-cloudflare/src/frameworks/package.json"
 
+permissions:
+  # content:write permission needed to update add changesets to dependabot PRs
+  # (see tools/dependabot/generate-dependabot-pr-changesets.ts)
+  contents: write
+
 jobs:
   generate-changeset:
     runs-on: ubuntu-22.04

.github/workflows/c3-e2e.yml

@@ -3,6 +3,9 @@ on:
   merge_group:
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   # TODO: switch back to 20.x onces [email protected] includes a fix for https://github.com/nodejs/node/issues/57869
   NODE_VERSION: 22

.github/workflows/changesets.yml

@@ -5,6 +5,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  # note: no write permissions are needed since the workflow uses GH_ACCESS_TOKEN instead of GITHUB_TOKEN
+
 jobs:
   release:
     if: ${{ github.repository_owner == 'cloudflare' }}

.github/workflows/deploy-pages-previews.yml

@@ -20,6 +20,11 @@ on:
   pull_request:
     types: [synchronize, opened, reopened, labeled, unlabeled]
 
+permissions:
+  contents: read
+  # pull-request:write permission needed so that the workflow can comment on PRs
+  pull-requests: write
+
 jobs:
   deploy-pages-projects:
     # Only run this on PRs that are for the "cloudflare" org and not "from" `main`

.github/workflows/e2e-project-cleanup.yml

@@ -1,10 +1,15 @@
 # This workflow cleans up any leftover projects created by e2e runs.
 
 name: E2E Project Cleanup
+
 on:
   workflow_dispatch:
   schedule:
     - cron: "0 3 * * *" # Run at 3am each day
+
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     timeout-minutes: 30

.github/workflows/e2e.yml

@@ -4,6 +4,9 @@ on:
   merge_group:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   e2e-wrangler-test:
     name: ${{ format('Wrangler ({0})', matrix.description) }}

.github/workflows/holopin.yml

@@ -5,6 +5,10 @@ on:
       - closed
       - labeled
 
+permissions:
+  # pull-request:write permission needed so that the workflow can comment on PRs
+  pull-requests: write
+
 jobs:
   issue_lava_lamp_holobyte:
     name: Issue Lava Lamp Holobyte

.github/workflows/hotfix-release.yml

@@ -1,4 +1,5 @@
 name: Release a hotfix
+
 on:
   workflow_dispatch:
     inputs:
@@ -14,6 +15,10 @@ on:
         type: string
         default: hotfix
         required: true
+
+permissions:
+  contents: read
+
 jobs:
   hotfix-release:
     name: Hotfix Release

.github/workflows/issues.yml

@@ -4,6 +4,10 @@ on:
   issues:
     types: [opened, transferred]
 
+permissions:
+  # issues:write permission needed so that the workflow can manage issues
+  issues: write
+
 jobs:
   add-to-project:
     name: Add issue to project

.github/workflows/miniflare-dependabot-versioning-prs.yml

@@ -1,9 +1,15 @@
 name: "Miniflare - Generate changesets for dependabot PRs"
+
 on:
   pull_request_target:
     paths:
       - "packages/miniflare/package.json"
 
+permissions:
+  # content:write permission needed to update add changesets to dependabot PRs
+  # (see tools/dependabot/generate-dependabot-pr-changesets.ts)
+  contents: write
+
 jobs:
   generate-changeset:
     runs-on: ubuntu-22.04