From 91b77f61703a670a442edc68cfae02cb57b38d12 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Fri, 22 Sep 2023 19:41:19 +0000
Subject: [PATCH 1/2] ci: set minimal permissions to workflows

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/auto_author_assign.yml | 4 +++-
 .github/workflows/binder.yml             | 3 +++
 .github/workflows/build.yml              | 2 +-
 .github/workflows/buildutils.yml         | 3 +++
 .github/workflows/check-release.yml      | 2 +-
 .github/workflows/enforce-label.yml      | 3 +++
 .github/workflows/lock.yml               | 6 ++++--
 .github/workflows/playwright-update.yml  | 5 +++--
 .github/workflows/prep-release.yml       | 2 ++
 .github/workflows/publish-release.yml    | 3 +++
 .github/workflows/ui-tests.yml           | 3 +++
 11 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/auto_author_assign.yml b/.github/workflows/auto_author_assign.yml
index 046a6a71bf..8d576d8833 100644
--- a/.github/workflows/auto_author_assign.yml
+++ b/.github/workflows/auto_author_assign.yml
@@ -6,10 +6,12 @@ on:
     types: [opened, reopened]
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   assign-author:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: toshimaru/auto-author-assign@v1.6.2
diff --git a/.github/workflows/binder.yml b/.github/workflows/binder.yml
index ad9a237e9f..1ff492bb00 100644
--- a/.github/workflows/binder.yml
+++ b/.github/workflows/binder.yml
@@ -3,6 +3,9 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   binder:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b2f9b4a9d8..d138fe72fe 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,7 +8,7 @@ on:
     - cron: '0 0 * * *'
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
diff --git a/.github/workflows/buildutils.yml b/.github/workflows/buildutils.yml
index 24929cc0e5..10f188a61c 100644
--- a/.github/workflows/buildutils.yml
+++ b/.github/workflows/buildutils.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   versioning:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-release.yml b/.github/workflows/check-release.yml
index f6ceb3ccaa..dde4a8fc6e 100644
--- a/.github/workflows/check-release.yml
+++ b/.github/workflows/check-release.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
diff --git a/.github/workflows/enforce-label.yml b/.github/workflows/enforce-label.yml
index 725feab5ce..2217a7b765 100644
--- a/.github/workflows/enforce-label.yml
+++ b/.github/workflows/enforce-label.yml
@@ -1,5 +1,8 @@
 name: Enforce PR label
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, edited, synchronize]
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 7b04bca9b0..9f2e762c71 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -5,12 +5,14 @@ on:
     - cron: '0 0 * * *'
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
 
 jobs:
   lock:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: dessant/lock-threads@v4
         with:
diff --git a/.github/workflows/playwright-update.yml b/.github/workflows/playwright-update.yml
index df16ded8d3..e437a95f3c 100644
--- a/.github/workflows/playwright-update.yml
+++ b/.github/workflows/playwright-update.yml
@@ -5,13 +5,14 @@ on:
     types: [created, edited]
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-snapshots:
     if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'update playwright snapshots') }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # Required by actions/update-snapshots 
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/prep-release.yml b/.github/workflows/prep-release.yml
index 2ab42761d9..723b6d2ce1 100644
--- a/.github/workflows/prep-release.yml
+++ b/.github/workflows/prep-release.yml
@@ -19,6 +19,8 @@ on:
         description: 'Use PRs with activity since the last stable git tag'
         required: false
         type: boolean
+permissions:
+  contents: read
 jobs:
   prep_release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index dd5b779134..38b1e4833e 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -12,6 +12,9 @@ on:
         description: 'Comma separated list of steps to skip'
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   publish_release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml
index 8d407248c2..1c100ae301 100644
--- a/.github/workflows/ui-tests.yml
+++ b/.github/workflows/ui-tests.yml
@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build

From 51f5b8f8c5538558ee10185257a5e8bc771047c9 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Fri, 22 Sep 2023 18:14:36 -0300
Subject: [PATCH 2/2] Fix trailing whitespace on playwright-update.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Michał Krassowski <5832902+krassowski@users.noreply.github.com>
---
 .github/workflows/playwright-update.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/playwright-update.yml b/.github/workflows/playwright-update.yml
index e437a95f3c..f19743b03f 100644
--- a/.github/workflows/playwright-update.yml
+++ b/.github/workflows/playwright-update.yml
@@ -12,7 +12,7 @@ jobs:
     if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'update playwright snapshots') }}
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write # Required by actions/update-snapshots 
+      pull-requests: write # Required by actions/update-snapshots
     strategy:
       fail-fast: false
       matrix: