ci: add explicit permissions to workflows

Author: hesreallyhim

.github/workflows/ci.yml

@@ -10,6 +10,10 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/realistic-test.yml

@@ -10,10 +10,16 @@ concurrency:
   group: realistic-test
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   realistic:
     name: Realistic — ${{ matrix.name }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -43,6 +49,9 @@ jobs:
   realistic-diag:
     name: Diagnostics — ${{ matrix.name }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     needs: [realistic]
     if: ${{ needs.realistic.result != 'skipped' }}
     strategy:

.github/workflows/self-test.yml

@@ -63,10 +63,16 @@ concurrency:
   group: self-test
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   scenario:
     name: Scenario — ${{ matrix.name }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -137,6 +143,9 @@ jobs:
   scenario-diag:
     name: Diagnostics — ${{ matrix.name }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     needs: [scenario]
     strategy:
       max-parallel: 1

HANDOFF.md

@@ -97,10 +97,16 @@ function generateWorkflow(): string {
   lines.push("  group: self-test");
   lines.push("  cancel-in-progress: true");
   lines.push("");
+  lines.push("permissions:");
+  lines.push("  contents: read");
+  lines.push("");
   lines.push("jobs:");
   lines.push("  scenario:");
   lines.push("    name: Scenario — ${{ matrix.name }}");
   lines.push("    runs-on: ubuntu-latest");
+  lines.push("    permissions:");
+  lines.push("      contents: read");
+  lines.push("      actions: write");
   lines.push("    strategy:");
   lines.push("      max-parallel: 1");
   lines.push("      fail-fast: false");
@@ -134,6 +140,9 @@ function generateWorkflow(): string {
   lines.push("  scenario-diag:");
   lines.push("    name: Diagnostics — ${{ matrix.name }}");
   lines.push("    runs-on: ubuntu-latest");
+  lines.push("    permissions:");
+  lines.push("      contents: read");
+  lines.push("      actions: read");
   lines.push("    needs: [scenario]");
   lines.push("    strategy:");
   lines.push("      max-parallel: 1");
@@ -198,10 +207,16 @@ function generateRealisticWorkflow(): string | null {
   lines.push("  group: realistic-test");
   lines.push("  cancel-in-progress: true");
   lines.push("");
+  lines.push("permissions:");
+  lines.push("  contents: read");
+  lines.push("");
   lines.push("jobs:");
   lines.push("  realistic:");
   lines.push("    name: Realistic — ${{ matrix.name }}");
   lines.push("    runs-on: ubuntu-latest");
+  lines.push("    permissions:");
+  lines.push("      contents: read");
+  lines.push("      actions: write");
   lines.push("    strategy:");
   lines.push("      max-parallel: 1");
   lines.push("      fail-fast: false");
@@ -227,6 +242,9 @@ function generateRealisticWorkflow(): string | null {
   lines.push("  realistic-diag:");
   lines.push("    name: Diagnostics — ${{ matrix.name }}");
   lines.push("    runs-on: ubuntu-latest");
+  lines.push("    permissions:");
+  lines.push("      contents: read");
+  lines.push("      actions: read");
   lines.push("    needs: [realistic]");
   lines.push("    if: ${{ needs.realistic.result != 'skipped' }}");
   lines.push("    strategy:");