CI: Improve permissions. (#33466)

.github/workflows/ci.yml

@@ -14,6 +14,8 @@ jobs:
   test:
     name: Lint, Unit, Unit addons, Circular dependencies & Examples testing
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Git checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -41,6 +43,8 @@ jobs:
     name: E2E testing
     runs-on: ${{ matrix.os }}
     timeout-minutes: 30
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:

.github/workflows/codeql-code-scanning.yml

@@ -10,6 +10,9 @@ on:
     - cron: '29 23 * * 0'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/protected-folders.yml

@@ -6,12 +6,12 @@ on:
       - 'build/**'
       - 'docs/**'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Check for protected folder changes
         if: ${{ github.event.pull_request.author_association != 'OWNER' && github.event.pull_request.author_association != 'COLLABORATOR' }}

.github/workflows/read-size.yml

@@ -18,6 +18,8 @@ jobs:
   read-size:
     name: Tree-shaking
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Git checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

.github/workflows/report-size.yml

@@ -6,18 +6,20 @@ on:
     types:
       - completed
 
-# This workflow needs to be run with "pull-requests: write" permissions to
-# be able to comment on the pull request. We can't checkout the PR code
-# in this workflow.
-# Reference:
-# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   report-size:
     name: Comment on PR
     runs-on: ubuntu-latest
+    # This job needs "pull-requests: write" permissions to be able to comment
+    # on the pull request. We can't checkout the PR code in this workflow.
+    # Reference:
+    # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+    permissions:
+      contents: read
+      pull-requests: write
     if: github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success'
     steps: