From a57f4dcc814fa55691c9ee5fc6e07c7487cb69f1 Mon Sep 17 00:00:00 2001
From: Tonye Jack <jtonye@ymail.com>
Date: Sat, 13 Jan 2024 00:31:45 -0700
Subject: [PATCH] chore: update top level workflow permissions (#1848)

---
 .github/workflows/codacy-analysis.yml      | 5 +++++
 .github/workflows/codeql.yml               | 5 +++++
 .github/workflows/issue-comment-test.yml   | 4 ++++
 .github/workflows/manual-test.yml          | 3 +++
 .github/workflows/matrix-test.yml          | 3 +++
 .github/workflows/multi-job-test.yml       | 6 +++---
 .github/workflows/sync-release-version.yml | 7 ++++++-
 .github/workflows/test.yml                 | 4 ++++
 .github/workflows/update-readme.yml        | 4 ++++
 .github/workflows/workflow-run-test.yml    | 3 +++
 10 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codacy-analysis.yml b/.github/workflows/codacy-analysis.yml
index 22a29b75544..6e8485b4d67 100644
--- a/.github/workflows/codacy-analysis.yml
+++ b/.github/workflows/codacy-analysis.yml
@@ -17,6 +17,11 @@ on:
   schedule:
     - cron: '15 16 * * 2'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   codacy-security-scan:
     # Cancel other workflows that are running for the same branch
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d352feaa0fb..3de65469773 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,6 +20,11 @@ on:
   schedule:
     - cron: '44 20 * * 0'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/issue-comment-test.yml b/.github/workflows/issue-comment-test.yml
index 2c765dd60a0..029b559d2f0 100644
--- a/.github/workflows/issue-comment-test.yml
+++ b/.github/workflows/issue-comment-test.yml
@@ -1,4 +1,8 @@
 name: Issue Comment Test
+
+permissions:
+   contents: read
+
 on:
   issue_comment:
 
diff --git a/.github/workflows/manual-test.yml b/.github/workflows/manual-test.yml
index a683cac6015..a5b19628c57 100644
--- a/.github/workflows/manual-test.yml
+++ b/.github/workflows/manual-test.yml
@@ -1,5 +1,8 @@
 name: Manual Test
 
+permissions:
+   contents: read
+
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/matrix-test.yml b/.github/workflows/matrix-test.yml
index fac34846881..b2cc82245e8 100644
--- a/.github/workflows/matrix-test.yml
+++ b/.github/workflows/matrix-test.yml
@@ -1,5 +1,8 @@
 name: Matrix Test
 
+permissions:
+   contents: read
+
 on:
   workflow_dispatch:
   pull_request:
diff --git a/.github/workflows/multi-job-test.yml b/.github/workflows/multi-job-test.yml
index b02766fbd9a..5dc6ec84eab 100644
--- a/.github/workflows/multi-job-test.yml
+++ b/.github/workflows/multi-job-test.yml
@@ -1,5 +1,8 @@
 name: Multi Job Test
 
+permissions:
+   contents: read
+
 on:
   push:
     branches:
@@ -8,9 +11,6 @@ on:
     branches:
       - "**"
 
-permissions:
-  contents: read
-
 jobs:
   changed-files:
     name: Get changed files
diff --git a/.github/workflows/sync-release-version.yml b/.github/workflows/sync-release-version.yml
index 448a6e84f30..bf601bb3a3c 100644
--- a/.github/workflows/sync-release-version.yml
+++ b/.github/workflows/sync-release-version.yml
@@ -1,4 +1,9 @@
-name: Update release version.
+name: Update release version
+
+permissions:
+   contents: read
+   pull-requests: write
+
 on:
   release:
     types: [published]
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 789ae9811e2..e4e299270b7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,9 @@
 name: CI
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   push:
     branches:
diff --git a/.github/workflows/update-readme.yml b/.github/workflows/update-readme.yml
index 0b6c1c331d7..6b9705322aa 100644
--- a/.github/workflows/update-readme.yml
+++ b/.github/workflows/update-readme.yml
@@ -1,5 +1,9 @@
 name: Format README.md
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   push:
     branches:
diff --git a/.github/workflows/workflow-run-test.yml b/.github/workflows/workflow-run-test.yml
index a5fcdf067c5..e83b6614cf0 100644
--- a/.github/workflows/workflow-run-test.yml
+++ b/.github/workflows/workflow-run-test.yml
@@ -4,6 +4,9 @@ on:
     workflows: [Matrix Test]
     types: [completed]
 
+permissions:
+  contents: read
+
 jobs:
   on-success:
     runs-on: ubuntu-latest