ci: Add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>

7 files changed, 36 insertions, 0 deletions

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 4ee5adfaac1ee..53066456f98d8 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -8,8 +8,14 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
+permissions:
+  contents: read
+
 jobs:
   backport:
+    permissions:
+      contents: write  # for zeebe-io/backport-action to create branch
+      pull-requests: write  # for zeebe-io/backport-action to create PR to backport
     name: Backport Pull Request
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
     runs-on: ubuntu-latest
diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml
index 9a196923cf4a3..2d31392caf456 100644
--- a/.github/workflows/basic-eval.yml
+++ b/.github/workflows/basic-eval.yml
@@ -10,6 +10,9 @@ on:
   #   branches:
   #    - master
   #    - release-**
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/direct-push.yml b/.github/workflows/direct-push.yml
index 082a4806e619b..167253ac6db62 100644
--- a/.github/workflows/direct-push.yml
+++ b/.github/workflows/direct-push.yml
@@ -4,8 +4,13 @@ on:
     branches:
      - master
      - release-**
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for peter-evans/commit-comment to comment on commit
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     env:
diff --git a/.github/workflows/pending-clear.yml b/.github/workflows/pending-clear.yml
index d06b1e2143f12..7e8960597e5c6 100644
--- a/.github/workflows/pending-clear.yml
+++ b/.github/workflows/pending-clear.yml
@@ -4,8 +4,13 @@ on:
   check_suite:
     types: [ completed ]
 
+permissions:
+  contents: read
+
 jobs:
   action:
+    permissions:
+      statuses: write
     runs-on: ubuntu-latest
     steps:
     - name: clear pending status
diff --git a/.github/workflows/pending-set.yml b/.github/workflows/pending-set.yml
index b15e4847e67c5..0dc3031d87c08 100644
--- a/.github/workflows/pending-set.yml
+++ b/.github/workflows/pending-set.yml
@@ -8,8 +8,13 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
+permissions:
+  contents: read
+
 jobs:
   action:
+    permissions:
+      statuses: write
     runs-on: ubuntu-latest
     steps:
     - name: set pending status
diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml
index a6a5ff3af2b74..2eec69f652577 100644
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -14,8 +14,14 @@ on:
     # Merge every 24 hours
     - cron:  '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-latest
     strategy:
diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml
index 5588d216ea030..bcc9f48835883 100644
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -14,8 +14,14 @@ on:
     # Merge every 6 hours
     - cron:  '0 */6 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-latest
     strategy: