From f135bfa3e53bead76903937a3f4bbe7b9ea2cc14 Mon Sep 17 00:00:00 2001
From: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
Date: Mon, 4 Jul 2022 14:12:32 -0500
Subject: [PATCH] chore: Set permissions for GitHub actions (#8550)

Restrict the GitHub token permissions only to just what is required and make them read-only where possible.

Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
---
 .github/workflows/build-cli.yml         | 5 +++++
 .github/workflows/integration-tests.yml | 3 +++
 .github/workflows/nodejs.yml            | 3 +++
 .github/workflows/release-insiders.yml  | 3 +++
 .github/workflows/release.yml           | 3 +++
 5 files changed, 17 insertions(+)

diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
index 1fc0f016f44a..299a9a9415da 100644
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@@ -8,8 +8,13 @@ on:
 env:
   CI: true
 
+permissions:
+  contents: read
+
 jobs:
   build_cli:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     runs-on: macos-11
     steps:
       - uses: actions/checkout@v2
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 8f023dbc6cc6..4c2812b6196a 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 3fdea06cd956..abb81dad4a8a 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-insiders.yml b/.github/workflows/release-insiders.yml
index bc7b345b4434..e9661feb36fa 100644
--- a/.github/workflows/release-insiders.yml
+++ b/.github/workflows/release-insiders.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a5bb7c2f8e9f..5fa806898408 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest