Specify permissions in GH Action workflows (#1679)

* Specify permissions in GH Action workflows

* Added contents permissions write to deploy your static files to GitHub Pages

* Added permissions required by actions

Author: antonwolfy

.github/workflows/build-sphinx.yml

@@ -6,6 +6,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
 
+permissions: read-all
+
 env:
   GH_BOT_NAME: 'github-actions[bot]'
   GH_BOT_EMAIL: 'github-actions[bot]@users.noreply.github.com'
@@ -25,6 +27,14 @@ jobs:
 
     runs-on: ubuntu-20.04
 
+    permissions:
+      # Needed to cancel any previous runs that are not completed for a given workflow
+      actions: write
+      # Needed to deploy static files to GitHub Pages
+      contents: write
+      # Needed to add a comment to a pull request's issue
+      pull-requests: write
+
     env:
       python-ver: '3.9'
       CHANNELS: '-c dppy/label/dev -c intel -c conda-forge --override-channels'

.github/workflows/conda-package.yml

@@ -6,6 +6,8 @@ on:
       - master
   pull_request:
 
+permissions: read-all
+
 env:
   PACKAGE_NAME: dpnp
   MODULE_NAME: dpnp
@@ -58,6 +60,10 @@ jobs:
         python: ['3.9', '3.10', '3.11']
         os: [ubuntu-20.04, windows-latest]
 
+    permissions:
+      # Needed to cancel any previous runs that are not completed for a given workflow
+      actions: write
+
     runs-on: ${{ matrix.os }}
 
     defaults:

.github/workflows/generate_coverage.yaml

@@ -4,11 +4,17 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   generate-coverage:
     name: Generate coverage and push to Coveralls.io
     runs-on: ubuntu-20.04
 
+    permissions:
+      # Needed to cancel any previous runs that are not completed for a given workflow
+      actions: write
+
     defaults:
       run:
         shell: bash -l {0}

.github/workflows/pre-commit.yml

@@ -5,6 +5,8 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest