Fix CI workflow permissions (#109)

Author: lucacome

.github/workflows/ci.yml

@@ -17,12 +17,15 @@ concurrency:
   group: ${{ github.ref_name }}-ci
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build Image
     runs-on: ubuntu-22.04
     permissions:
-      contents: read # for docker/build-push-action to read repo content
+      contents: write # for lucacome/draft-release to create a draft release
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       packages: write # for docker/build-push-action to push to GHCR
     steps:

.github/workflows/dockerhub-description.yml

@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.ref_name }}-dockerhub-description
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   dockerHubDescription:
     runs-on: ubuntu-22.04

.github/workflows/labeler.yml

@@ -2,6 +2,9 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   triage:
     permissions:

.github/workflows/notifications.yml

@@ -9,6 +9,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   on-failure:
     runs-on: ubuntu-22.04

.github/workflows/stale.yml

@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     permissions: