ci: limit default permissions to contents.read (#1447)

This change refactors all root pipelines (`trunk` and `presubmit`) to limit the contents permission to read. By default, GitHub has taken the overly-permissive approach of granting all permissions if the `permissions` map is not explicitly defined. Usability wins out over security, again. Change-Id: Idaca851385fb82eefd6c7c9b8ee46b85a3f4901c

ci: limit default permissions to contents.read (#1447)
ab8c5ccf · sudoforge · GitHub · 6ee47b96 · ab8c5ccf · ab8c5ccf
Unverified Commit ab8c5ccf authored 3 months ago by sudoforge Committed by GitHub 3 months ago
--- a/.github/workflows/presubmit.yml
+++ b/.github/workflows/presubmit.yml
@@ -20,6 +20,9 @@ concurrency:
  group: ${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  build-and-test:
    uses: ./.github/workflows/build-and-test.yml

--- a/.github/workflows/trunk.yml
+++ b/.github/workflows/trunk.yml
@@ -15,6 +15,9 @@ concurrency:
  group: ${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  build-and-test:
    uses: ./.github/workflows/build-and-test.yml