fix: adds permissions to all workflows

.github/workflows/audit.yml

@@ -8,6 +8,9 @@ on:
  # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
  - cron: "0 8 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  audit:
  name: Audit Dependencies

.github/workflows/ci-release.yml

@@ -18,6 +18,10 @@ on:
  required: true
  type: string
 
+permissions:
+ contents: read
+ checks: write
+
 jobs:
  lint-all:
  name: Lint All

.github/workflows/ci-test-workspace.yml

@@ -16,6 +16,9 @@ on:
  # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
  - cron: "0 9 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint

.github/workflows/ci.yml

@@ -16,6 +16,9 @@ on:
  # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
  - cron: "0 9 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint

.github/workflows/codeql-analysis.yml

@@ -13,6 +13,9 @@ on:
  # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
  - cron: "0 10 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  analyze:
  name: Analyze

.github/workflows/pull-request.yml

@@ -10,6 +10,9 @@ on:
  - edited
  - synchronize
 
+permissions:
+ contents: read
+
 jobs:
  commitlint:
  name: Lint Commits

.github/workflows/release-integration.yml

@@ -19,6 +19,9 @@ on:
  PUBLISH_TOKEN:
  required: true
 
+permissions:
+ contents: read
+
 jobs:
  publish:
  name: Publish

lib/content/audit-yml.hbs

@@ -6,6 +6,9 @@ on:
  # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
  - cron: "0 8 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  audit:
  {{> jobYml jobName="Audit Dependencies" jobDepFlags="--package-lock" }}

lib/content/ci-release-yml.hbs

@@ -17,6 +17,10 @@ on:
  required: true
  type: string
 
+permissions:
+ contents: read
+ checks: write
+
 jobs:
  lint-all:
  {{> jobYml

lib/content/ci-yml.hbs

@@ -3,6 +3,9 @@ name: CI {{~#if isWorkspace}} - {{ pkgName }}{{/if}}
 on:
  {{> onCiYml }}
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  {{> jobYml jobName="Lint" }}

lib/content/codeql-analysis-yml.hbs

@@ -15,6 +15,9 @@ on:
  # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
  - cron: "0 10 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  analyze:
  name: Analyze

lib/content/pull-request-yml.hbs

@@ -8,6 +8,9 @@ on:
  - edited
  - synchronize
 
+permissions:
+ contents: read
+
 jobs:
  commitlint:
  {{> jobYml jobName="Lint Commits" jobCheckout=(obj fetch-depth=0) }}

lib/content/release-integration-yml.hbs

@@ -19,6 +19,9 @@ on:
  required: true
  {{/if}} 
 
+permissions:
+ contents: read
+
 jobs:
  publish:
  {{> jobReleaseIntegrationYml }}

tap-snapshots/test/apply/source-snapshots.js.test.cjs

@@ -356,6 +356,9 @@ on:
  # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
  - cron: "0 8 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  audit:
  name: Audit Dependencies
@@ -410,6 +413,10 @@ on:
  required: true
  type: string
 
+permissions:
+ contents: read
+ checks: write
+
 jobs:
  lint-all:
  name: Lint All
@@ -546,6 +553,9 @@ on:
  # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
  - cron: "0 9 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint
@@ -651,6 +661,9 @@ on:
  # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
  - cron: "0 10 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  analyze:
  name: Analyze
@@ -813,6 +826,9 @@ on:
  - edited
  - synchronize
 
+permissions:
+ contents: read
+
 jobs:
  commitlint:
  name: Lint Commits
@@ -872,6 +888,9 @@ on:
  type: string
  description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
 
+permissions:
+ contents: read
+
 jobs:
  publish:
  name: Check Publish
@@ -1797,6 +1816,9 @@ on:
  # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
  - cron: "0 8 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  audit:
  name: Audit Dependencies
@@ -1851,6 +1873,9 @@ on:
  # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
  - cron: "0 9 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint
@@ -1957,6 +1982,9 @@ on:
  # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
  - cron: "0 9 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint
@@ -2063,6 +2091,10 @@ on:
  required: true
  type: string
 
+permissions:
+ contents: read
+ checks: write
+
 jobs:
  lint-all:
  name: Lint All
@@ -2205,6 +2237,9 @@ on:
  # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
  - cron: "0 9 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint
@@ -2310,6 +2345,9 @@ on:
  # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
  - cron: "0 10 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  analyze:
  name: Analyze
@@ -2472,6 +2510,9 @@ on:
  - edited
  - synchronize
 
+permissions:
+ contents: read
+
 jobs:
  commitlint:
  name: Lint Commits
@@ -2531,6 +2572,9 @@ on:
  type: string
  description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
 
+permissions:
+ contents: read
+
 jobs:
  publish:
  name: Check Publish
@@ -3526,6 +3570,9 @@ on:
  # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
  - cron: "0 9 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint
@@ -3632,6 +3679,9 @@ on:
  # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
  - cron: "0 9 * * 1"
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint
@@ -3738,6 +3788,10 @@ on:
  required: true
  type: string
 
+permissions:
+ contents: read
+ checks: write
+
 jobs:
  lint-all:
  name: Lint All
@@ -3996,6 +4050,9 @@ on:
  - edited
  - synchronize
 
+permissions:
+ contents: read
+
 jobs:
  commitlint:
  name: Lint Commits
@@ -4055,6 +4112,9 @@ on:
  type: string
  description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
 
+permissions:
+ contents: read
+
 jobs:
  publish:
  name: Check Publish

tap-snapshots/test/check/diff-snapshots.js.test.cjs

@@ -99,23 +99,23 @@ The repo file audit.yml needs to be updated:
  [@npmcli/template-oss ERROR] There was an erroring getting the target file
  [@npmcli/template-oss ERROR] Error: {{ROOT}}/.tap/fixtures/test-check-diff-snapshots.js-update-and-remove-errors/.github/workflows/audit.yml
 
- YAMLParseError: Implicit keys need to be on a single line at line 42, column 1:
+ YAMLParseError: Implicit keys need to be on a single line at line 45, column 1:
 
  run: npm audit --audit-level=none
  >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<<
  ^
 
- YAMLParseError: Block scalar header includes extra characters: >>>>I at line 42, column 2:
+ YAMLParseError: Block scalar header includes extra characters: >>>>I at line 45, column 2:
 
  >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<<
  ^
 
- YAMLParseError: Not a YAML token: HOPE THIS IS NOT VALID YAML<<<<<<<<<<< at line 42, column 7:
+ YAMLParseError: Not a YAML token: HOPE THIS IS NOT VALID YAML<<<<<<<<<<< at line 45, column 7:
 
  >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<<
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
- YAMLParseError: Implicit map keys need to be followed by map values at line 42, column 1:
+ YAMLParseError: Implicit map keys need to be followed by map values at line 45, column 1:
 
  run: npm audit --audit-level=none
  >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<<
@@ -134,6 +134,9 @@ The repo file audit.yml needs to be updated:
  # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
  - cron: "0 8 * * 1"
 
+ permissions:
+ contents: read
+
  jobs:
  audit:
  name: Audit Dependencies
@@ -175,7 +178,7 @@ The repo file ci.yml needs to be updated:
 
  .github/workflows/ci.yml
  ========================================
- @@ -97,4 +97,24 @@
+ @@ -100,4 +100,24 @@
  shell: \${{ matrix.platform.shell }}
  steps:
  - name: Checkout