CI: Set minimal permissions on GitHub Workflows #7069
Description
Problem
I noticed that some of your GitHub Workflows don't specify their permissions (as ui-tests.yml), and others define some potentially dangerous write permissions (i.e., usually contents: write) that might not be required. It's recommended that you always define minimal permissions to your workflows, as secures you against erroneous or malicious behaviours from external jobs you call from them. It's specially important for the case they get compromised, for example, and it's a recommendation by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
Proposed Solution
I'd recommend that you review the write permissions of your workflows and substitute them by read permissions whenever possible. Ideally you would set a top-level read-only permission on all workflows, so that they would be inherited by any job that does not define job-level permissions. For any job that requires write permissions, they can be defined locally as job-level permissions.
As those would be changes of few lines of code, I'll take the liberty to send a PR setting the required minimal permissions as I understand by the workflows. Then you can evaluate the suggestion more easily and correct me where I'm mistaken.
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊