Fix some OSSF scorecard issues

Author: trask

.github/workflows/build-daily-no-build-cache.yml

@@ -6,6 +6,9 @@ on:
     - cron: "48 4 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   common:
     uses: ./.github/workflows/build-common.yml
@@ -29,6 +32,8 @@ jobs:
   # anyway and so are already covered by the normal daily build
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - common
       - test-latest-deps

.github/workflows/build-daily.yml

@@ -6,6 +6,9 @@ on:
     - cron: "24 3 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   common:
     uses: ./.github/workflows/build-common.yml
@@ -32,6 +35,8 @@ jobs:
     uses: ./.github/workflows/reusable-misspell-check.yml
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - common
       - test-latest-deps

.github/workflows/build-pull-request.yml

@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   common:
     uses: ./.github/workflows/build-common.yml

.github/workflows/build.yml

@@ -7,6 +7,9 @@ on:
       - release/*
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   common:
     uses: ./.github/workflows/build-common.yml

.github/workflows/native-tests-daily.yml

@@ -6,13 +6,18 @@ on:
     - cron: "0 4 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   graalvm-native-tests:
     uses: ./.github/workflows/reusable-native-tests.yml
     with:
       test-latest-deps: true
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - graalvm-native-tests
     if: always()

.github/workflows/overhead-benchmark-daily.yml

@@ -5,8 +5,13 @@ on:
     - cron: "0 5 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run-overhead-tests:
+    permissions:
+      contents: write # for writing to the gh-pages branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -50,6 +55,8 @@ jobs:
           committer_email: [email protected]
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - run-overhead-tests
     if: always()

.github/workflows/owasp-dependency-check-daily.yml

@@ -8,6 +8,9 @@ on:
     - cron: "30 1 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     runs-on: ubuntu-latest
@@ -41,6 +44,8 @@ jobs:
           path: javaagent/build/reports
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - analyze
     if: always()

.github/workflows/pr-smoke-test-grpc-images.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: ./.github/workflows/reusable-smoke-test-images.yml

.github/workflows/pr-smoke-test-play-images.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: ./.github/workflows/reusable-smoke-test-images.yml

.github/workflows/pr-smoke-test-quarkus-images.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: ./.github/workflows/reusable-smoke-test-images.yml

.github/workflows/pr-smoke-test-security-manager-images.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: ./.github/workflows/reusable-smoke-test-images.yml

.github/workflows/pr-smoke-test-servlet-images.yml

@@ -6,6 +6,9 @@ on:
       - "smoke-tests/images/servlet/**"
       - ".github/workflows/pr-smoke-test-servlet-images.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}

.github/workflows/pr-smoke-test-spring-boot-images.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: ./.github/workflows/reusable-smoke-test-images.yml