Set workflow permissions (#1547)

Author: gcatanese

.github/workflows/codeql-analysis.yml

@@ -4,6 +4,10 @@ on:
   schedule:
     - cron: '0 0 * * 4'
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   CodeQL-Build:
 

.github/workflows/format.yml

@@ -5,11 +5,12 @@ on:
     branches:
       - 'sdk-automation/models'
 
+permissions:
+  contents: write
+
 jobs:
   format:
     if: ${{ github.event.commits != null && !startsWith(github.event.head_commit.message, 'style(fmt)') }}
-    permissions:
-      contents: write
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/javaci.yml

@@ -11,6 +11,9 @@ on:
       - promote/main
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   java-check:
     name: Java Code Check

.github/workflows/label_new_issues.yml

@@ -3,6 +3,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  issues: write
+
 jobs:
   add-label:
     runs-on: ubuntu-latest

.github/workflows/publish.yml

@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -20,12 +20,13 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release:
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
-    permissions:
-      contents: write
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/stale.yml

@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: '30 8 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest