[actions] setting minimum token permissions for github actions

ashishkurmi · ljharb · commit b2260ca1b6ad · 2022-10-30T23:41:47.000-07:00
Signed-off-by: Ashish Kurmi &lt;akurmi@stepsecurity.io&gt;
diff --git a/.github/workflows/node-pretest.yml b/.github/workflows/node-pretest.yml
@@ -2,6 +2,9 @@ name: 'Tests: pretest/posttest'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   pretest:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml
@@ -2,6 +2,9 @@ name: 'Tests: node.js'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
@@ -2,8 +2,14 @@ name: Automatic Rebase
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
+    permissions:
+      contents: write  # for ljharb/rebase to push code to rebase
+      pull-requests: read  # for ljharb/rebase to get info about PR
     name: "Automatic Rebase"
 
     runs-on: ubuntu-latest
diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml
@@ -2,8 +2,13 @@ name: Require “Allow Edits”
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
+    permissions:
+      pull-requests: read  # for ljharb/require-allow-edits to check 'allow edits' on PR
     name: "Require “Allow Edits”"
 
     runs-on: ubuntu-latest
