ci(security): reduce workflows permissions (#355)

Set by default the permission to read-all in all the workflows and add
the proper permissions for the following workflows:

* CI
* release-please
* Release Publish Artifacts

closes #352

Signed-off-by: Jonathan Gonzalez V. <[email protected]>

Author: sxd

.github/workflows/ci.yml

@@ -4,9 +4,14 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   ci:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: write
     steps:
       - name: Cleanup Disk
         uses: jlumbroso/[email protected]

.github/workflows/publish-docs.yml

@@ -16,6 +16,8 @@ concurrency:
   group: "pages"
   cancel-in-progress: false
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/release-please.yml

@@ -5,9 +5,14 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       # TODO: googleapis/release-please-action cannot sign commits yet.
       #   We'll use the cli until there's a fix for

.github/workflows/release-publish.yml

@@ -3,9 +3,14 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   release-publish-artifacts:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4