ci: Update GitHub Actions workflows to follow principle of least privilege

Default to `permissions: read-all` in all workflows and then add
additional permissions as needed at the job level

Signed-off-by: Benjamin Cabé <[email protected]>

Author: kartben

.github/workflows/assigner.yml

@@ -15,11 +15,17 @@ on:
     types:
     - labeled
 
+permissions:
+  contents: read
+
 jobs:
   assignment:
     name: Pull Request Assignment
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write # to add assignees to pull requests
+      issues: write        # to add assignees to issues
 
     steps:
     - name: Install Python dependencies

.github/workflows/backport.yml

@@ -7,10 +7,17 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     name: Backport
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write       # to create/push backport branches
+      pull-requests: write  # to create backport PRs
+      issues: write         # to add labels to issue created if backport fails
     # Only react to merged PRs for security reasons.
     # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
     if: >

.github/workflows/backport_issue_check.yml

@@ -10,6 +10,9 @@ on:
     branches:
       - v*-branch
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     name: Backport Issue Check
@@ -18,6 +21,8 @@ jobs:
       cancel-in-progress: true
     runs-on: ubuntu-22.04
     if: github.repository == 'zephyrproject-rtos/zephyr'
+    permissions:
+      issues: read # to check if associated issue exists for backport
 
     steps:
       - name: Check out source code

.github/workflows/bsim-tests-publish.yaml

@@ -5,11 +5,17 @@ on:
     workflows: ["BabbleSim Tests"]
     types:
       - completed
+
+permissions:
+  contents: read
+
 jobs:
   bsim-test-results:
     name: "Publish BabbleSim Test Results"
     runs-on: ubuntu-22.04
     if: github.event.workflow_run.conclusion != 'skipped'
+    permissions:
+      checks: write # to create the check run entry with test results
 
     steps:
       - name: Download artifacts

.github/workflows/bsim-tests.yaml

@@ -28,6 +28,9 @@ on:
       - "drivers/serial/*nrfx*"
       - "tests/drivers/uart/**"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
@@ -45,6 +48,9 @@ jobs:
       BSIM_OUT_PATH: /opt/bsim/
       BSIM_COMPONENTS_PATH: /opt/bsim/components
       EDTT_PATH: ../tools/edtt
+    permissions:
+      checks: write # to create the check run entry with test results
+
     steps:
       - name: Apply container owner mismatch workaround
         run: |

.github/workflows/bug_snapshot.yaml

@@ -13,6 +13,9 @@ on:
   # Run daily at 14:05
   - cron: '5 14 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   make_bugs_pickle:
     name: Make bugs pickle

.github/workflows/codecov.yaml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '25 06,18 * * *'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true

.github/workflows/coding_guidelines.yml

@@ -2,6 +2,9 @@ name: Coding Guidelines
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   compliance_job:
     runs-on: ubuntu-22.04

.github/workflows/compliance.yml

@@ -8,6 +8,9 @@ on:
     - reopened
     - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   check_compliance:
     runs-on: ubuntu-22.04

.github/workflows/daily_test_version.yml

@@ -10,6 +10,9 @@ on:
     branches:
     - refs/tags/*
 
+permissions:
+  contents: read
+
 jobs:
   get_version:
     runs-on: ubuntu-22.04