chore(ci): Fix potential github action smells (cypress-io#29416)

* chore(ci): fix gha smells

- Avoid running CI related actions when no source code has changed
- Use permissions whenever using Github Token
- Avoid executing  scheduled workflows on forks

* Fix typo in 'if' statement for gha workflow

Co-authored-by: Jennifer Shehane <shehane.jennifer@gmail.com>

* Add contents write permissions to upload_release_asset

---------

Co-authored-by: Jennifer Shehane <shehane.jennifer@gmail.com>
Co-authored-by: Jennifer Shehane <jennifer@cypress.io>

.github/workflows/update-browser-versions.yml

@@ -10,6 +10,8 @@ jobs:
     env:
       CYPRESS_BOT_APP_ID: ${{ secrets.CYPRESS_BOT_APP_ID }}
       BASE_BRANCH: develop
+    # Prevent from running this workflow on forks
+    if: github.repository == 'cypress-io/cypress'
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/update_v8_snapshot_cache.yml

@@ -8,6 +8,23 @@ on:
   push:
     branches:
       - 'release/**'
+    paths-ignore:
+      - .husky/**
+      - .vscode/**
+      - .eslintrc.js
+      - .gitattributes
+      - .gitignore
+      - .percy.yml
+      - .prettierignore
+      - .releaserc.js
+      - .yarnclean
+      - CHANGELOG.md
+      - CODE_OF_CONDUCT.md
+      - CONTRIBUTING.md
+      - LICENSE
+      - README.md
+      - ROADMAP.md
+      - SECURITY.md
   workflow_dispatch:
     inputs:
       branch:

.github/workflows/upload_release_asset.yml

@@ -13,6 +13,8 @@ jobs:
           FOSSA_API_KEY: ${{secrets.FOSSAAPIKEY}}
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      contents: write
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4