fix(actions): Add missing permissions for workflows

Author: lucasssvaz

.github/workflows/allboards.yml

@@ -5,6 +5,9 @@ on:
   repository_dispatch:
     types: [test-boards]
 
+permissions:
+  contents: read
+
 jobs:
   find-boards:
     runs-on: ubuntu-latest
@@ -36,10 +39,6 @@ jobs:
         with:
           ref: ${{ github.event.client_payload.branch }}
 
-      - run: npm install
-      - name: Setup jq
-        uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a # v3.0.1
-
       - id: set-test-chunks
         name: Set Chunks
         run: echo "test-chunks<<EOF" >> $GITHUB_OUTPUT

.github/workflows/boards.yml

@@ -8,6 +8,9 @@ on:
       - "libraries/ESP32/examples/CI/CIBoardsTest/CIBoardsTest.ino"
       - ".github/workflows/boards.yml"
 
+permissions:
+  contents: read
+
 env:
   # It's convenient to set variables for values used multiple times in the workflow
   GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
@@ -24,9 +27,6 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Setup jq
-        uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a # v3.0.1
-
       - name: Get board name
         run: bash .github/scripts/find_new_boards.sh ${{ github.repository }} ${{github.base_ref}}
 

.github/workflows/build_component.yml

@@ -45,6 +45,9 @@ on:
       - "!*.txt"
       - "!*.properties"
 
+permissions:
+  contents: read
+
 concurrency:
   group: build-component-${{github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
@@ -114,6 +117,7 @@ jobs:
           submodules: recursive
           path: components/arduino-esp32
 
+      # Need to install jq in the container to be able to use it in the script
       - name: Setup jq
         uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a # v3.0.1
 

.github/workflows/build_py_tools.yml

@@ -9,6 +9,10 @@ on:
       - "tools/gen_esp32part.py"
       - "tools/gen_insights_package.py"
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   find-changed-tools:
     name: Check if tools have been changed

.github/workflows/codeql.yml

@@ -15,6 +15,12 @@ on:
       - ".github/workflows/*.yml"
       - ".github/workflows/*.yaml"
 
+permissions:
+  actions: read
+  contents: read
+  pull-requests: read
+  security-events: write
+
 jobs:
   codeql-analysis:
     name: CodeQL ${{ matrix.language }} analysis

.github/workflows/docs_build.yml

@@ -13,6 +13,9 @@ on:
       - "docs/**"
       - ".github/workflows/docs_build.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build-docs:
     name: Build ESP-Docs

.github/workflows/docs_deploy.yml

@@ -13,6 +13,9 @@ on:
       - "docs/**"
       - ".github/workflows/docs_deploy.yml"
 
+permissions:
+  contents: read
+
 jobs:
   deploy-prod-docs:
     name: Deploy Documentation on Production

.github/workflows/gh-pages.yml

@@ -10,6 +10,10 @@ on:
       - ".github/scripts/on-pages.sh"
       - ".github/workflows/gh-pages.yml"
 
+permissions:
+  contents: write
+  pages: write
+
 jobs:
   build-pages:
     name: Build GitHub Pages

.github/workflows/lib.yml

@@ -13,6 +13,10 @@ concurrency:
   group: libs-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: read
+
 env:
   # It's convenient to set variables for values used multiple times in the workflow
   SKETCHES_REPORTS_PATH: libraries-report

.github/workflows/pre-commit.yml

@@ -12,6 +12,10 @@ concurrency:
   group: pre-commit-${{github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   lint:
     if: |