Configure permissions of GITHUB_TOKEN in workflows

.github/workflows/check-certificates.yml

@@ -27,6 +27,7 @@ jobs:
       (github.event_name != 'pull_request' && github.repository == 'arduino/arduino-lint') ||
       (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'arduino/arduino-lint')
     runs-on: ubuntu-latest
+    permissions: {}
     strategy:
       fail-fast: false
 

.github/workflows/check-code-generation-task.yml

@@ -28,6 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       result: ${{ steps.determination.outputs.result }}
+    permissions: {}
     steps:
       - name: Determine if the rest of the workflow should run
         id: determination
@@ -51,6 +52,7 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions: {}
 
     steps:
       - name: Checkout local repository

.github/workflows/check-general-formatting-task.yml

@@ -14,6 +14,8 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Set environment variables

.github/workflows/check-go-dependencies-task.yml

@@ -37,6 +37,7 @@ on:
 jobs:
   run-determination:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       result: ${{ steps.determination.outputs.result }}
     steps:
@@ -62,6 +63,8 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -118,6 +121,8 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/check-go-task.yml

@@ -28,6 +28,7 @@ on:
 jobs:
   run-determination:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       result: ${{ steps.determination.outputs.result }}
     steps:
@@ -54,6 +55,8 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -89,6 +92,8 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -127,6 +132,8 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -165,6 +172,8 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -203,6 +212,8 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false

.github/workflows/check-license.yml

@@ -31,6 +31,8 @@ on:
 jobs:
   check-license:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/check-markdown-task.yml

@@ -36,6 +36,8 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -55,6 +57,8 @@ jobs:
 
   links:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/check-mkdocs-task.yml

@@ -37,6 +37,8 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/check-prettier-formatting-task.yml

@@ -201,6 +201,8 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/check-python-task.yml

@@ -33,6 +33,8 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -60,6 +62,8 @@ jobs:
 
   formatting:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/check-shell-task.yml

@@ -27,6 +27,8 @@ jobs:
   lint:
     name: ${{ matrix.configuration.name }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     env:
       # See: https://github.com/koalaman/shellcheck/releases/latest
@@ -89,6 +91,8 @@ jobs:
 
   formatting:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Set environment variables
@@ -132,6 +136,8 @@ jobs:
 
   executable:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/check-workflows-task.yml

@@ -20,6 +20,8 @@ on:
 jobs:
   validate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/deploy-cobra-mkdocs-versioned-poetry.yml

@@ -32,6 +32,7 @@ on:
 jobs:
   publish-determination:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       result: ${{ steps.determination.outputs.result }}
     steps:
@@ -51,6 +52,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: publish-determination
     if: needs.publish-determination.outputs.result == 'true'
+    permissions:
+      contents: write
 
     steps:
       - name: Checkout repository

.github/workflows/publish-go-nightly-task.yml

@@ -21,6 +21,8 @@ on:
 jobs:
   create-nightly-artifacts:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       matrix:
@@ -66,6 +68,9 @@ jobs:
       checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
       checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
 
+    permissions:
+      contents: read
+
     env:
       GON_CONFIG_PATH: gon.config.hcl
 
@@ -166,6 +171,7 @@ jobs:
   publish-nightly:
     runs-on: ubuntu-latest
     needs: notarize-macos
+    permissions: {}
 
     steps:
       - name: Download artifact
@@ -194,6 +200,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: publish-nightly
     if: failure() # Run if publish-nightly or any of its job dependencies failed
+    permissions: {}
 
     steps:
       - name: Report failure

.github/workflows/publish-go-tester-task.yml

@@ -34,6 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       result: ${{ steps.determination.outputs.result }}
+    permissions: {}
     steps:
       - name: Determine if the rest of the workflow should run
         id: determination
@@ -57,6 +58,7 @@ jobs:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       prefix: ${{ steps.calculation.outputs.prefix }}
     steps:
@@ -75,6 +77,8 @@ jobs:
     needs: package-name-prefix
     name: Build ${{ matrix.os.name }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       matrix:
@@ -135,6 +139,8 @@ jobs:
       - build
       - package-name-prefix
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Download build artifacts

.github/workflows/release-go-task.yml

@@ -18,6 +18,8 @@ on:
 jobs:
   create-release-artifacts:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       matrix:
@@ -71,6 +73,8 @@ jobs:
     outputs:
       checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
       checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
+    permissions:
+      contents: read
 
     env:
       GON_CONFIG_PATH: gon.config.hcl
@@ -172,6 +176,8 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
     needs: notarize-macos
+    permissions:
+      contents: write
 
     steps:
       - name: Download artifact

.github/workflows/spell-check-task.yml

@@ -18,6 +18,8 @@ on:
 jobs:
   spellcheck:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository

.github/workflows/sync-labels.yml

@@ -24,6 +24,8 @@ env:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -55,6 +57,7 @@ jobs:
   download:
     needs: check
     runs-on: ubuntu-latest
+    permissions: {}
 
     strategy:
       matrix:
@@ -82,6 +85,9 @@ jobs:
   sync:
     needs: download
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
 
     steps:
       - name: Set environment variables

.github/workflows/test-go-integration-task.yml

@@ -38,6 +38,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       result: ${{ steps.determination.outputs.result }}
+    permissions: {}
     steps:
       - name: Determine if the rest of the workflow should run
         id: determination
@@ -60,6 +61,8 @@ jobs:
   test:
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
+    permissions:
+      contents: read
 
     strategy:
       matrix:

.github/workflows/test-go-task.yml

@@ -34,6 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       result: ${{ steps.determination.outputs.result }}
+    permissions: {}
     steps:
       - name: Determine if the rest of the workflow should run
         id: determination
@@ -57,6 +58,8 @@ jobs:
     name: test (${{ matrix.module.path }} - ${{ matrix.operating-system }})
     needs: run-determination
     if: needs.run-determination.outputs.result == 'true'
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false