Add permissions to example workflows, restrict permissions in CI

.github/workflows/ci-cd.yml

@@ -10,6 +10,7 @@ on:
   schedule:
     - cron: '0 16 * * *'
   workflow_dispatch:
+permissions: {}
 
 jobs:
   test:
@@ -122,6 +123,9 @@ jobs:
       github.event.sender.login != 'dependabot[bot]' &&
       ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository )
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
 
     steps:
       - name: Checkout
@@ -152,6 +156,10 @@ jobs:
       github.event.sender.login != 'dependabot[bot]' &&
       ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository )
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
+      security-events: write
 
     steps:
       - name: Checkout
@@ -213,6 +221,10 @@ jobs:
       github.event.sender.login != 'dependabot[bot]' &&
       ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository )
     runs-on: ${{ matrix.os }}
+    permissions:
+      checks: write
+      pull-requests: write
+
     strategy:
       fail-fast: false
       max-parallel: 3
@@ -291,6 +303,9 @@ jobs:
       github.event.sender.login != 'dependabot[bot]' &&
       ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository )
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
 
     steps:
       - name: Checkout
@@ -332,6 +347,9 @@ jobs:
       github.event.sender.login != 'dependabot[bot]' &&
       ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository )
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
 
     steps:
       - name: Checkout

.github/workflows/unit-test-results.yml

@@ -5,20 +5,17 @@ on:
     workflows: ["CI/CD"]
     types:
       - completed
+permissions: {}
 
 jobs:
-  debug:
-    name: Debug
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Debug Action
-        uses: hmarr/debug-action@v2.0.1
-
   unit-test-results:
     name: Unit Test Results (reference)
-    runs-on: ubuntu-latest
     if: github.event.workflow_run.conclusion != 'skipped'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      pull-requests: write
 
     steps:
       - name: Download and Extract Artifacts

README.md

@@ -108,9 +108,9 @@ The following permissions are required in **private** GitHub repos:
 
 ```yaml
 permissions:
-  checks: write
   contents: read
   issues: read
+  checks: write
   pull-requests: write
 ```
 
@@ -266,6 +266,7 @@ are then all downloaded by your publish job.
 name: CI
 
 on: [push]
+permissions: {}
 
 jobs:
   build-and-test:
@@ -300,6 +301,17 @@ jobs:
     name: "Publish Unit Tests Results"
     needs: build-and-test
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+
+      # only needed unless run with comment_mode: off
+      pull-requests: write
+
+      # only needed for private repository
+      contents: read
+
+      # only needed for private repository
+      issues: read
     if: always()
 
     steps:
@@ -382,11 +394,24 @@ on:
     workflows: ["CI"]
     types:
       - completed
+permissions: {}
 
 jobs:
   unit-test-results:
     name: Unit Test Results
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+
+      # only needed unless run with comment_mode: off
+      pull-requests: write
+
+      # only needed for private repository
+      contents: read
+
+      # only needed for private repository
+      issues: read
     if: github.event.workflow_run.conclusion != 'skipped'
 
     steps: