ci: add minimum GitHub token permissions for workflows

[ashishkurmi]

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes.
Here is an example of the permissions in one of the workflow runs:
https://github.com/webpack-contrib/css-loader/runs/8160728230?check_suite_focus=true#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflow:

• cancel.yml

The following workflow file already has the least privileged token permission set:

• nodejs.yml

Motivation and Context

• This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
• GitHub recommends defining minimum GITHUB_TOKEN permissions.
  https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
• The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: boahc077 / name: Ashish Kurmi (f17ccbe)

[codecov]

Codecov Report

Base: 96.81% // Head: 96.81% // No change to project coverage 👍

Coverage data is based on head (ea7787a) compared to base (57ebc7a).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1470   +/-   ##
=======================================
  Coverage   96.81%   96.81%           
=======================================
  Files          12       12           
  Lines        1131     1131           
  Branches      411      411           
=======================================
  Hits         1095     1095           
  Misses         27       27           
  Partials        9        9           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[ashishkurmi]

@snitin315 thanks so much for reviewing my PR. I looked at the failed lint check. It appears to be a Node linter. Whereas the change I am making is related to GitHub actions which is uses YAML. Is there any way to add exceptions for such failures as it may not applicable for this PR?

[snitin315]

lint is failing for the cancel.yml file so it is related. Please run prettier locally to fix lint.

[ashishkurmi]

@snitin315 thanks for the pointer. I ran prettier locally to fix cancel.yaml. There was an extra space in my YAML comment. I made the fix and squashed my previous two commits. Please take a look again.