Set more specific GitHub token permissions on workflows. (#854)

Author: jack-edmonds-dd

.github/workflows/changelog.yaml

@@ -1,4 +1,8 @@
 name: "Ensure labels"
+
+permissions:
+  pull-requests: read
+
 on: # yamllint disable-line rule:truthy
   pull_request:
     types:

.github/workflows/codeql-analysis.yml

@@ -1,5 +1,9 @@
 name: "CodeQL"
 
+permissions:
+  contents: read
+  checks: write
+
 on:
   push:
     branches: [ master ]

.github/workflows/labeler.yml

@@ -1,4 +1,9 @@
 name: "Pull Request Labeler"
+
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
 - pull_request
 

.github/workflows/release.yaml

@@ -1,5 +1,9 @@
 name: Build
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   pull_request:
   release:

.github/workflows/stale.yml

@@ -1,6 +1,12 @@
 # Configuration for https://github.com/actions/stale
 
 name: "Stale issues and pull requests"
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
 on:
   schedule:
   - cron: "0 5 * * *"

.github/workflows/test.yml

@@ -1,5 +1,8 @@
 name: test
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/test_integration.yml

@@ -1,5 +1,8 @@
 name: Run Integration Tests
 
+permissions:
+  contents: read
+
 on: # yamllint disable-line rule:truthy
   pull_request:
     types: