workflows don't contain permissions #5873
Description
Summary
Context read: https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/
I enabled CodeQL scanning which showed some issues around GH token scoping. These issues are valid, but tailoring them to every workflow will take some work and understanding the scopes. Some GH Actions might require additional permissions.
https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions
It's important to verify that the workflows are still working after this hardening, especially scheduled ones that don't run on every PR.
Completion Criteria
- Add all necessary permission blocks to the workflows based on the least-required principle
- Assert that all workflows still work correctly.