Set minimal workflow permissions (#53297)

Author: pnacht

.github/workflows/accept-baselines-fix-lints.yaml

@@ -3,10 +3,16 @@ name: Accept Baselines and Fix Lints
 on:
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3

.github/workflows/ci.yml

@@ -10,6 +10,9 @@ on:
       - main
       - release-*
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -21,6 +21,9 @@ on:
     #        *  * * * *
     - cron: '30 1 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest

.github/workflows/ensure-related-repos-run-crons.yml

@@ -11,6 +11,9 @@ on:
         - cron: '0 0 1 * *'
     workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/error-deltas-watchdog.yaml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 0 * * 3' # Every Wednesday
 
+permissions:
+  contents: read
+
 jobs:
   check-for-recent:
     runs-on: ubuntu-latest

.github/workflows/new-release-branch.yaml

@@ -4,10 +4,16 @@ on:
   repository_dispatch:
     types: new-release-branch
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/setup-node@v3
     - run: |

.github/workflows/nightly.yaml

@@ -8,6 +8,9 @@ on:
   repository_dispatch:
     types: publish-nightly
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/release-branch-artifact.yaml

@@ -5,6 +5,9 @@ on:
     branches:
       - release-*
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/rich-navigation.yml

@@ -10,6 +10,9 @@ on:
       - main
       - release-*
 
+permissions:
+  contents: read
+
 jobs:
   richnav:
     runs-on: windows-latest

.github/workflows/set-version.yaml

@@ -4,10 +4,16 @@ on:
   repository_dispatch:
     types: set-version
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/setup-node@v3
     - uses: actions/checkout@v3

.github/workflows/sync-branch.yaml

@@ -9,10 +9,16 @@ on:
         description: 'Target Branch Name'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/setup-node@v3
     - uses: actions/checkout@v3

.github/workflows/sync-wiki.yml

@@ -2,6 +2,9 @@ name: Sync Two Uncyclo Repos
 
 on: [gollum]
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     runs-on: ubuntu-latest

.github/workflows/twoslash-repros.yaml

@@ -19,6 +19,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   run:
     if: ${{ github.repository == 'microsoft/TypeScript' }}

.github/workflows/update-lkg.yml

@@ -3,10 +3,16 @@ name: Update LKG
 on:
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3

.github/workflows/update-package-lock.yaml

@@ -7,11 +7,17 @@ on:
         - cron: '0 6 * * *'
     workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     if: github.repository == 'microsoft/TypeScript'
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/checkout@v3
       with: