chore(ci): Harden GitHub Actions token permissions

.github/workflows/changelog.yaml

@@ -16,6 +16,9 @@ on:
   merge_group:
     types: [checks_requested]
 
+permissions:
+  contents: read
+
 jobs:
   validate-changelog:
     permissions:

.github/workflows/cla.yml

@@ -40,9 +40,9 @@ jobs:
           branch: 'vector'
           remote-repository-name: cla-signatures
           remote-organization-name: DataDog
+          allowlist: step-security-bot
 
          # the followings are the optional inputs - If the optional inputs are not given, then default values will be taken
-          #allowlist: user1,bot*
           #create-file-commit-message: 'For example: Creating file for storing CLA Signatures'
           #signed-commit-message: 'For example: $contributorName has signed the CLA in $owner/$repo#$pullRequestNo'
           #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign'

.github/workflows/cleanup-ghcr-images.yml

@@ -13,6 +13,9 @@ on:
     - cron: '0 2 * * 0'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest

.github/workflows/gardener_open_issue.yml

@@ -6,6 +6,9 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     name: Add issue to Gardener project board

.github/workflows/labeler.yml

@@ -2,6 +2,9 @@ name: "Pull Request Labeler"
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   label:
     runs-on: ubuntu-24.04

.github/workflows/master_merge_queue.yml

@@ -20,7 +20,7 @@ on:
     types: [checks_requested]
 
 permissions:
-  statuses: write
+  contents: read
 
 concurrency:
   # `github.ref` is unique for MQ runs and PRs
@@ -112,6 +112,8 @@ jobs:
     secrets: inherit
 
   master-merge-queue-check:
+    permissions:
+      statuses: write
     name: Master Merge Queue Suite
     # Always run this so that pull_request triggers are marked as success.
     if: always()

.github/workflows/msrv.yml

@@ -14,6 +14,9 @@ env:
   CI: true
   PROFILE: debug
 
+permissions:
+  contents: read
+
 jobs:
   check-msrv:
     runs-on: ubuntu-24.04

.github/workflows/publish-homebrew.yml

@@ -17,6 +17,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   publish-homebrew:
     runs-on: ubuntu-24.04

.github/workflows/semantic.yml

@@ -9,8 +9,14 @@ on:
   pull_request:
     types: [opened, edited, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Check Semantic PR
     runs-on: ubuntu-24.04
     steps:

.github/workflows/spelling.yml

@@ -67,6 +67,9 @@ on:
     - 'reopened'
     - 'synchronize'
 
+permissions:
+  contents: read
+
 jobs:
   spelling:
     name: Check Spelling