Merge pull request #10368 from nextcloud/defaultPermission

Setting token permissions to read-only follows the principle of least privilege.

.github/workflows/analysis.yml

@@ -6,6 +6,10 @@ on:
     push:
         branches: [ master, stable-* ]
 
+permissions:
+    pull-requests: write
+    contents: write
+
 jobs:
     analysis:
         runs-on: ubuntu-latest

.github/workflows/assembleFlavors.yml

@@ -4,6 +4,9 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
     flavor:
         runs-on: ubuntu-latest

.github/workflows/autoApproveDependabot.yml

@@ -3,6 +3,9 @@ on:
     pull_request_target:
         branches: [ master, stable-* ]
 
+permissions:
+    pull-requests: write
+
 jobs:
     auto-approve:
         runs-on: ubuntu-latest

.github/workflows/check.yml

@@ -4,6 +4,9 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
     check:
         runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -27,7 +27,7 @@ jobs:
       uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
-    - name: Set up JDK 
+    - name: Set up JDK
       uses: actions/setup-java@v2
       with:
         distribution: "temurin"

.github/workflows/command-rebase.yml

@@ -6,11 +6,11 @@
 name: Rebase command
 
 on:
-  issue_comment:
-    types: created
+    issue_comment:
+        types: created
 
-permissions:	
-  contents: read	
+permissions:
+  contents: read
 
 jobs:
   rebase:
@@ -18,11 +18,11 @@ jobs:
     permissions:
       contents: none
 
-    # On pull requests and if the comment starts with `/rebase`
-    if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')
+        # On pull requests and if the comment starts with `/rebase`
+        if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')
 
-    steps:
-      - name: Add reaction on start
+        steps:
+            -   name: Add reaction on start
         uses: peter-evans/create-or-update-comment@v2
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}

.github/workflows/detectNewJavaFiles.yml

@@ -4,12 +4,15 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
     detectNewJavaFiles:
         runs-on: ubuntu-latest
 
         steps:
-               - uses: trilom/file-changes-action@v1.2.4
-               - uses: actions/checkout@v2
-               - name: Detect new java files
-                 run: scripts/analysis/detectNewJavaFiles.sh
+            -   uses: trilom/file-changes-action@v1.2.4
+            -   uses: actions/checkout@v2
+            -   name: Detect new java files
+                run: scripts/analysis/detectNewJavaFiles.sh

.github/workflows/detectSnapshot.yml

@@ -4,6 +4,9 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
     detectSnapshot:
         runs-on: ubuntu-latest

.github/workflows/gradle-wrapper-validation.yml

@@ -4,6 +4,9 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
     validation:
         name: "Validation"

.github/workflows/qa.yml

@@ -4,6 +4,10 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+permissions:
+    pull-requests: write
+    contents: read
+
 jobs:
     qa:
         runs-on: ubuntu-latest

.github/workflows/screenShotTest.yml

@@ -4,6 +4,10 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+permissions:
+    contents: read
+    pull-requests: write
+
 jobs:
     screenshot:
         runs-on: macOS-latest

.github/workflows/stale.yml

@@ -3,6 +3,9 @@ on:
     schedule:
         -   cron: '* */2 * * *'
 
+permissions:
+    pull-requests: write
+
 jobs:
     stale:
         runs-on: ubuntu-latest

.github/workflows/unit-tests.yml

@@ -6,6 +6,10 @@ on:
     push:
         branches: [ master, stable-* ]
 
+permissions:
+    contents: read
+    pull-requests: write
+
 jobs:
     test:
         runs-on: ubuntu-latest