ci: set minimal permissions on GitHub Workflows (#2980)

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

8 files changed, 23 insertions, 0 deletions

diff --git a/.github/workflows/clang-format-check.yml b/.github/workflows/clang-format-check.yml
index 70809a1..56d2b48 100644
--- a/.github/workflows/clang-format-check.yml
+++ b/.github/workflows/clang-format-check.yml
@@ -1,6 +1,8 @@
 name: clang-format Check
 on:
   pull_request:
+permissions:
+  contents: read
 jobs:
   formatting-check:
     name: Formatting Check
diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml
index 00d2352..5981118 100644
--- a/.github/workflows/clang-format-fix.yml
+++ b/.github/workflows/clang-format-fix.yml
@@ -11,11 +11,15 @@ name: clang-format Commit Changes
 on: 
   workflow_dispatch:
   push:
+permissions:
+  contents: read
 jobs:
   formatting-check:
     name: Commit Format Changes
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, 'skip-ci')"
+    permissions:
+        contents: write # In order to allow EndBug/add-and-commit to commit changes
     steps:
     - uses: actions/checkout@v3
     - name: Fix C and Java formatting issues detected by clang-format
diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml
index c21872d..02d8205 100644
--- a/.github/workflows/cmake-ctest.yml
+++ b/.github/workflows/cmake-ctest.yml
@@ -9,6 +9,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or
 # in parallel
 jobs:
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index ddf1038..37294bf 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -3,6 +3,8 @@
 # https://github.com/codespell-project/actions-codespell
 name: codespell
 on: [push, pull_request]
+permissions:
+  contents: read
 jobs:
   codespell:
     name: Check for spelling errors
diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
index 0e040ca..04e52ac 100644
--- a/.github/workflows/daily-build.yml
+++ b/.github/workflows/daily-build.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "6 0 * * *"
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or
 # in parallel.
 jobs:
diff --git a/.github/workflows/hdfeos5.yml b/.github/workflows/hdfeos5.yml
index 03c9746..089e8df 100644
--- a/.github/workflows/hdfeos5.yml
+++ b/.github/workflows/hdfeos5.yml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build hdfeos5
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0711d00..8892588 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or
 # in parallel. We just have one job, but the matrix items defined below will
 # run in parallel.
diff --git a/.github/workflows/tarball.yml b/.github/workflows/tarball.yml
index 12f3438..e68cb64 100644
--- a/.github/workflows/tarball.yml
+++ b/.github/workflows/tarball.yml
@@ -11,6 +11,9 @@ on:
         description: "The common base name of the source tarballs"
         value: ${{ jobs.create_tarball.outputs.file_base }}
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or
 # in parallel
 jobs: