Merge pull request #998 from github/michaelrfairhurst/fix-workflow-permissions

Add workflow permissions

Author: MichaelRFairhurst

.github/workflows/code-scanning-pack-gen.yml

@@ -1,4 +1,6 @@
 name: Code Scanning Query Pack Generation
+permissions:
+  contents: read
 
 on:
   merge_group:

.github/workflows/codeql_unit_tests.yml

@@ -1,4 +1,6 @@
 name: CodeQL Unit Testing
+permissions:
+  contents: read
 
 on:
   merge_group:

.github/workflows/dispatch-matrix-test-on-comment.yml

@@ -1,4 +1,8 @@
 name: 🤖 Run Matrix Check (On Comment)
+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
 
 on:
   issue_comment:

.github/workflows/dispatch-release-performance-check.yml

@@ -1,4 +1,8 @@
 name: 🏁 Run Release Performance Check
+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
 
 on:
   issue_comment:

.github/workflows/extra-rule-validation.yml

@@ -1,4 +1,6 @@
 name: ⚙️ Extra Rule Validation
+permissions:
+  contents: read
 
 on:
   merge_group:

.github/workflows/finalize-release.yml

@@ -1,4 +1,9 @@
 name: Finalize Release
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+
 on:
   pull_request:
     types:

.github/workflows/generate-html-docs.yml

@@ -1,4 +1,6 @@
 name: Generate HTML documentation
+permissions:
+  contents: read
 
 on:
   merge_group:

.github/workflows/standard_library_upgrade_tests.yml

@@ -1,4 +1,6 @@
 name: CodeQL Standard Library Upgrade tests
+permissions:
+  contents: read
 
 # Run this workflow every time the "supported_codeql_configs.json" file is changed
 on:

.github/workflows/tooling-unit-tests.yml

@@ -1,4 +1,6 @@
 name: 🧰 Tooling unit tests
+permissions:
+  contents: read
 
 on:
   merge_group:

.github/workflows/update-check-run.yml

@@ -1,4 +1,7 @@
 name: Update check run
+permissions:
+  contents: read
+  checks: write
 
 on:
   workflow_dispatch:
@@ -37,9 +40,6 @@ on:
         type: string
         default: '{}'
 
-permissions:
-  checks: write
-
 jobs:
   update-check-run:
     runs-on: ubuntu-22.04