Merge pull request #3143 from AlchemyCMS/backport/7.1-stable/pr-3139

[7.1-stable] CI: Set workflow permissions

Author: tvdeyen

.github/workflows/backport.yml

@@ -6,6 +6,9 @@ on:
       - closed
       - labeled
 
+permissions:
+  pull-requests: write
+
 jobs:
   backport:
     name: Backport

.github/workflows/brakeman-analysis.yml

@@ -3,6 +3,14 @@
 
 name: Brakeman Scan
 
+concurrency:
+  group: brakeman-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+  security-events: write
+
 on:
   push:
     branches:

.github/workflows/build.yml

@@ -9,6 +9,8 @@ on:
 
 jobs:
   check_yarn_lock:
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     name: Check yarn.lock
     steps:

.github/workflows/lint.yml

@@ -2,6 +2,13 @@ name: Lint
 
 on: [pull_request]
 
+concurrency:
+  group: lint-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+
 jobs:
   Standard:
     runs-on: ubuntu-22.04

.github/workflows/stale.yml

@@ -4,10 +4,13 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-22.04
-
     steps:
       - uses: actions/stale@v5
         with:

.github/workflows/test.yml

@@ -6,6 +6,9 @@ on:
       - 7.1-stable
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   RSpec:
     runs-on: ubuntu-22.04