ci: set default read only permissions and moved privileged permissions to individual jobs (#66)

Author: MadsRC

.github/workflows/osv-scanner-pr.yaml

@@ -6,12 +6,14 @@ on:
   merge_group:
     branches: [main]
 
-permissions:
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Only need to read contents
-  contents: read
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   scan-pr:
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@75532bf0bf75464b047d80414dbce04449498365" # v1.7.3
+    permissions:
+      # Require writing security events to upload SARIF file to security tab
+      security-events: write
+      # Only need to read contents
+      contents: read

.github/workflows/osv-scanner-schedule.yaml

@@ -6,12 +6,14 @@ on:
   push:
     branches: [main]
 
-permissions:
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Only need to read contents
-  contents: read
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   osv-scan:
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@75532bf0bf75464b047d80414dbce04449498365" # v1.7.3
+    permissions:
+      # Require writing security events to upload SARIF file to security tab
+      security-events: write
+      # Only need to read contents
+      contents: read

.github/workflows/semgrep.yml

@@ -13,6 +13,10 @@ on:
   schedule:
   # random HH:MM to avoid a load spike on GitHub Actions at 00:00
   - cron: 55 8 * * *
+
+# Declare default permissions as read only.
+permissions: read-all
+
 name: Semgrep
 jobs:
   semgrep:

.github/workflows/sonarcloud.yaml

@@ -10,6 +10,10 @@ on:
       - main
   pull_request:
       types: [opened, synchronize, reopened]
+
+# Declare default permissions as read only.
+permissions: read-all
+
 name: SonarCloud analysis
 jobs:
   sonarcloud: