[infra] Add minimum token permissions for all github workflow files (#6357)

Co-authored-by: otelbot <[email protected]>
Co-authored-by: Piotr Kiełkowicz <[email protected]>
Co-authored-by: Rajkumar Rangaraj <[email protected]>

Author: 4 people

.github/workflows/Component.BuildTest.yml

@@ -28,6 +28,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   build-test:
 

.github/workflows/add-labels.yml

@@ -7,11 +7,12 @@ on:
     branches: [ 'main*' ]
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
 
 jobs:
   add-labels-on-issues:
+    permissions:
+      issues: write
     if: github.event_name == 'issues' && !github.event.issue.pull_request
 
     runs-on: ubuntu-22.04
@@ -33,6 +34,8 @@ jobs:
           ISSUE_BODY: ${{ github.event.issue.body }}
 
   add-labels-on-pull-requests:
+    permissions:
+      pull-requests: write
     if: github.event_name == 'pull_request_target'
 
     runs-on: ubuntu-22.04

.github/workflows/ci.yml

@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [ 'main*' ]
 
+permissions:
+  contents: read
+
 jobs:
   lint-misspell-sanitycheck:
     uses: ./.github/workflows/sanitycheck.yml

.github/workflows/markdownlint.yml

@@ -5,6 +5,9 @@ name: Lint - Markdown
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   run-markdownlint:
     runs-on: ubuntu-22.04

.github/workflows/post-release.yml

@@ -16,6 +16,9 @@ on:
     types:
     - created
 
+permissions:
+  contents: read
+
 jobs:
   automation:
     uses: ./.github/workflows/automation.yml

.github/workflows/prepare-release.yml

@@ -23,6 +23,9 @@ on:
     types:
     - created
 
+permissions:
+  contents: read
+
 jobs:
   automation:
     uses: ./.github/workflows/automation.yml

.github/workflows/publish-packages-1.0.yml

@@ -16,6 +16,9 @@ on:
   schedule:
     - cron: '0 0 * * *' # once in a day at 00:00
 
+permissions:
+  contents: read
+
 jobs:
   automation:
     uses: ./.github/workflows/automation.yml