ci: set minimum amount of permission needed for each workflow (#54)

Author: zimeg

.github/workflows/delete-pr-build-on-close.yml

@@ -21,6 +21,8 @@ jobs:
   delete-pre-release:
     name: Delete pre-release if exists
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Delete pre-release and tag named after branch
         env:

.github/workflows/dependencies.yml

@@ -7,6 +7,8 @@ jobs:
   golang:
     name: Bump the Golang version
     runs-on: ubuntu-latest
+    permissions:
+      contents: none # Permissions are set with an application token
     steps:
       - name: Gather credentials
         id: credentials

.github/workflows/e2e_tests.yml

@@ -17,6 +17,8 @@ jobs:
   execute:
     name: Start tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
     steps:
       - name: Trigger CircleCI 'local' workflow
         if: ${{ github.event.inputs.status == 'false' }}

.github/workflows/license_check.yml

@@ -10,6 +10,8 @@ jobs:
   check-headers:
     name: Check that license headers are in place
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/[email protected]
         with:

.github/workflows/sync-docs-from-cli-repo.yml

@@ -17,7 +17,8 @@ jobs:
   config-sync:
     name: Sync docs to docs site repo
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
       - name: Generate a GitHub token
         id: ghtoken

.github/workflows/tests.yml

@@ -15,6 +15,8 @@ jobs:
   lint-test:
     name: Lints and Unit tests
     runs-on: macos-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/[email protected]
         with:
@@ -49,6 +51,9 @@ jobs:
   health-score:
     needs: lint-test
     runs-on: macos-latest
+    permissions:
+      checks: write
+      contents: read
     steps:
       - uses: actions/[email protected]
       - name: Set up Go