ci: limit default permissions to contents.read (#1447)

sudoforge created 5 months ago

This change refactors all root pipelines (`trunk` and `presubmit`) to
limit the contents permission to read. By default, GitHub has taken the
overly-permissive approach of granting all permissions if the
`permissions` map is not explicitly defined. Usability wins out over
security, again.

Change-Id: Idaca851385fb82eefd6c7c9b8ee46b85a3f4901c

Change summary

.github/workflows/presubmit.yml | 3 +++
.github/workflows/trunk.yml     | 3 +++
2 files changed, 6 insertions(+)

Detailed changes

.github/workflows/presubmit.yml 🔗

@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     uses: ./.github/workflows/build-and-test.yml

.github/workflows/trunk.yml 🔗

@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     uses: ./.github/workflows/build-and-test.yml