infra: Minimal permissions for workflow jobs (#565)

Addresses CodeQL scan alerts related to `CWE-275`.

New CodeQL scan passes on my fork:
https://github.com/michaelnchin/langchain-aws/actions/runs/16740128948/job/47386808821

Author: michaelnchin

.github/workflows/_compile_integration_test.yml

@@ -17,6 +17,9 @@ jobs:
       run:
         working-directory: ${{ inputs.working-directory }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write  # Needed for actions/cache used by poetry_setup action
     strategy:
       matrix:
         python-version:

.github/workflows/_integration_test.yml

@@ -35,6 +35,10 @@ jobs:
       run:
         working-directory: ${{ inputs.working-directory }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # Needed for aws-actions/configure-aws-credentials
+      actions: write  # Needed for actions/cache used by poetry_setup action
     name: "make integration_test"
     steps:
       - uses: actions/checkout@v4

.github/workflows/_lint.yml

@@ -19,6 +19,9 @@ jobs:
   build:
     name: "make lint #${{ matrix.python-version }}"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write  # Needed for actions/cache used by poetry_setup action (and directly in this job)
     strategy:
       matrix:
         # Only lint on the min and max supported Python versions.

.github/workflows/_release.yml

@@ -25,10 +25,16 @@ env:
   PYTHON_VERSION: "3.11"
   POETRY_VERSION: "1.7.1"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: github.ref == 'refs/heads/main' || inputs.dangerous-nonmaster-release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write  # Needed for actions/upload-artifact
 
     outputs:
       pkg-name: ${{ steps.check-version.outputs.pkg-name }}
@@ -90,6 +96,9 @@ jobs:
       - build
       - test-pypi-publish
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  # Needed for aws-actions/configure-aws-credentials
     steps:
       - uses: actions/checkout@v4
 
@@ -218,6 +227,8 @@ jobs:
       # Trusted publishing has to also be configured on PyPI for each package:
       # https://docs.pypi.org/trusted-publishers/adding-a-publisher/
       id-token: write
+      contents: read
+      actions: read  # Needed for actions/download-artifact
 
     defaults:
       run:
@@ -258,6 +269,7 @@ jobs:
       # This permission is needed by `ncipollo/release-action` to
       # create the GitHub release.
       contents: write
+      actions: read  # Needed for actions/download-artifact
 
     defaults:
       run:

.github/workflows/_test.yml

@@ -17,6 +17,9 @@ jobs:
       run:
         working-directory: ${{ inputs.working-directory }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write  # Needed for actions/cache used by poetry_setup action
     strategy:
       matrix:
         python-version:

.github/workflows/_test_release.yml

@@ -21,6 +21,9 @@ jobs:
   build:
     if: github.ref == 'refs/heads/main' || inputs.dangerous-nonmaster-release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write  # Needed for actions/upload-artifact
 
     outputs:
       pkg-name: ${{ steps.check-version.outputs.pkg-name }}
@@ -77,6 +80,8 @@ jobs:
       # Trusted publishing has to also be configured on PyPI for each package:
       # https://docs.pypi.org/trusted-publishers/adding-a-publisher/
       id-token: write
+      contents: read
+      actions: read  # Needed for actions/download-artifact
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/check_diffs.yml

@@ -22,6 +22,9 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read  # Needed for Ana06/get-changed-files
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -39,6 +42,9 @@ jobs:
     name: cd ${{ matrix.working-directory }}
     needs: [ build ]
     if: ${{ needs.build.outputs.dirs-to-lint != '[]' }}
+    permissions:
+      contents: read
+      actions: write  # Needed for actions/cache used by poetry_setup action in _lint.yml
     strategy:
       matrix:
         working-directory: ${{ fromJson(needs.build.outputs.dirs-to-lint) }}
@@ -51,6 +57,9 @@ jobs:
     name: cd ${{ matrix.working-directory }}
     needs: [ build ]
     if: ${{ needs.build.outputs.dirs-to-test != '[]' }}
+    permissions:
+      contents: read
+      actions: write  # Needed for actions/cache used by poetry_setup action inside _test.yml
     strategy:
       matrix:
         working-directory: ${{ fromJson(needs.build.outputs.dirs-to-test) }}
@@ -63,6 +72,9 @@ jobs:
     name: cd ${{ matrix.working-directory }}
     needs: [ build ]
     if: ${{ needs.build.outputs.dirs-to-test != '[]' }}
+    permissions:
+      contents: read
+      actions: write  # Needed for actions/cache used by poetry_setup action inside _compile_integration_test.yml
     strategy:
       matrix:
         working-directory: ${{ fromJson(needs.build.outputs.dirs-to-test) }}
@@ -76,6 +88,8 @@ jobs:
     if: |
       always()
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       JOBS_JSON: ${{ toJSON(needs) }}
       RESULTS_JSON: ${{ toJSON(needs.*.result) }}