Fix Token-Permissions OpenSSF remarks

Author: aobolensk

.github/workflows/codeql.yml

@@ -5,6 +5,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/labeler.yml

@@ -3,6 +3,9 @@ name: "Label PRs"
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   label-pull-requests:
     runs-on: ubuntu-24.04

.github/workflows/mac.yml

@@ -1,6 +1,9 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   clang-build:
     runs-on: macOS-latest

.github/workflows/main.yml

@@ -8,6 +8,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: >-
@@ -18,26 +21,45 @@ concurrency:
 jobs:
   pre-commit:
     uses: ./.github/workflows/pre-commit.yml
+    permissions:
+      contents: read
+      packages: read
   ubuntu:
     needs:
       - pre-commit
     uses: ./.github/workflows/ubuntu.yml
+    permissions:
+      contents: read
+      packages: read
+      issues: write
+      pull-requests: write
   mac:
     needs:
       - pre-commit
     uses: ./.github/workflows/mac.yml
+    permissions:
+      contents: read
   windows:
     needs:
       - pre-commit
     uses: ./.github/workflows/windows.yml
+    permissions:
+      contents: read
   perf:
     needs:
       - ubuntu
       - mac
       - windows
     uses: ./.github/workflows/perf.yml
+    permissions:
+      contents: read
+      packages: read
 
   pages:
     needs:
       - perf
     uses: ./.github/workflows/pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write

.github/workflows/perf.yml

@@ -1,9 +1,15 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-gcc-build-perf-stats:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:

.github/workflows/pre-commit.yml

@@ -5,9 +5,15 @@ on:
   pull_request:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:

.github/workflows/static-analysis-pr.yml

@@ -19,9 +19,15 @@ concurrency:
         github.event_name != 'merge_group' &&
         !startsWith(github.ref, 'refs/heads/gh-readonly-queue') }}
 
+permissions:
+  contents: read
+
 jobs:
   clang-tidy:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -71,6 +77,9 @@ jobs:
     needs:
       - clang-tidy
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:

.github/workflows/ubuntu.yml

@@ -1,9 +1,15 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   gcc-build:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -58,6 +64,9 @@ jobs:
     needs:
       - gcc-build
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -90,6 +99,9 @@ jobs:
     needs:
       - gcc-test
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -114,6 +126,9 @@ jobs:
           PPC_NUM_PROC: 1
   clang-build:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -159,6 +174,9 @@ jobs:
     needs:
       - clang-build
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -191,6 +209,9 @@ jobs:
     needs:
       - clang-test
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -217,6 +238,9 @@ jobs:
     needs:
       - clang-build
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -264,6 +288,9 @@ jobs:
     needs:
       - clang-sanitizer-build
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -302,6 +329,9 @@ jobs:
     needs:
       - clang-sanitizer-test
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: read
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
@@ -330,6 +360,11 @@ jobs:
       - gcc-test-extended
       - clang-test-extended
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+      issues: write
+      pull-requests: write
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:

.github/workflows/windows.yml

@@ -1,6 +1,9 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   msvc-build:
     runs-on: windows-latest