build: add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <[email protected]>

PR-URL: #43743
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Rich Trott <[email protected]>

Author: varunsh-coder

.github/workflows/authors.yml

@@ -6,6 +6,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   authors_update:
     if: github.repository == 'nodejs/node'

.github/workflows/auto-start-ci.yml

@@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }}
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   get-prs-for-ci:
+    permissions:
+      pull-requests: read
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     outputs:
@@ -32,6 +37,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   start-ci:
+    permissions:
+      contents: read
+      pull-requests: write
     needs: get-prs-for-ci
     if: needs.get-prs-for-ci.outputs.numbers != ''
     runs-on: ubuntu-latest

.github/workflows/build-tarball.yml

@@ -31,6 +31,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   build-tarball:
     if: github.event.pull_request.draft == false

.github/workflows/build-windows.yml

@@ -26,6 +26,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   build-windows:
     if: github.event.pull_request.draft == false

.github/workflows/close-stale-feature-requests.yml

@@ -28,8 +28,14 @@ env:
     [feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
 # yamllint enable
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:

.github/workflows/close-stalled.yml

@@ -9,8 +9,14 @@ env:
     is still relevant, or to ping the collaborator who labelled it stalled if
     you have any questions.
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:

.github/workflows/comment-labeled.yml

@@ -11,8 +11,14 @@ env:
     If it should remain open, please leave a comment explaining why it should remain open.
   FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve.
 
+permissions:
+  contents: read
+
 jobs:
   stale-comment:
+    permissions:
+      issues: write
+      pull-requests: write
     if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled'
     runs-on: ubuntu-latest
     steps:
@@ -23,6 +29,8 @@ jobs:
         run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE"
 
   fast-track:
+    permissions:
+      pull-requests: write
     if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track'
     runs-on: ubuntu-latest
     steps:

.github/workflows/commit-lint.yml

@@ -5,6 +5,9 @@ on: [pull_request]
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   lint-commit-message:
     runs-on: ubuntu-latest

.github/workflows/commit-queue.yml

@@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }}
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   get_mergeable_prs:
+    permissions:
+      pull-requests: read
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     outputs:

.github/workflows/coverage-linux.yml

@@ -29,6 +29,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   coverage-linux:
     if: github.event.pull_request.draft == false