GitHub Workflows security hardening (#3470)

* build: harden docker-publish.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden website.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden changesets.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden static-data.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>

.github/workflows/changesets.yml

@@ -12,6 +12,9 @@ env:
   CI: true
   PNPM_CACHE_FOLDER: .pnpm-store
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   # Update package versions from changesets.
   version:

.github/workflows/docker-publish.yml

@@ -15,6 +15,10 @@ on:
       - 'master'
     tags:
       - 'v*'
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   docker:
     runs-on: ubuntu-latest

.github/workflows/static-data.yml

@@ -10,6 +10,10 @@ on:
   # push:
   #   branches:
   #     - master
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   prepare:
     name: Run script

.github/workflows/website.yml

@@ -9,8 +9,16 @@ on:
   schedule:
     - cron: '0 0 * * *' 
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      deployments: write
+      pull-requests: write  #  to comment on pull-requests
+
     runs-on: ubuntu-latest
     env:
       NODE_OPTIONS: --max_old_space_size=4096