fix(ci): hardening security of GH actions

Author: christian-bromann

.github/workflows/build.yml

@@ -5,6 +5,9 @@ on:
   # Make this a reusable workflow, no value needed
   # https://docs.github.com/en/actions/using-workflows/reusing-workflows
 
+permissions:
+  contents: read
+
 jobs:
   build_core:
     name: Core

.github/workflows/create-production-pr.yml

@@ -27,6 +27,9 @@ jobs:
   create-stencil-release-pull-request:
     name: Generate Stencil Release PR
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       # Log the input from GitHub Actions for easy traceability
       - name: Log GitHub Input

.github/workflows/lint-and-format.yml

@@ -6,6 +6,9 @@ on:
     # Make this a reusable workflow, no value needed
     # https://docs.github.com/en/actions/using-workflows/reusing-workflows
 
+permissions:
+  contents: read
+
 jobs:
   format:
     name: Check

.github/workflows/main.yml

@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_core:
     name: Build

.github/workflows/release-dev.yml

@@ -10,6 +10,9 @@ on:
         description: The version that was just published to npm.
         value: ${{ jobs.get-dev-version.outputs.dev-version }}
 
+permissions:
+  contents: read
+
 jobs:
   build_core:
     name: Build
@@ -57,6 +60,7 @@ jobs:
     needs: [get-dev-version, build_core]
     runs-on: ubuntu-22.04
     permissions:
+      contents: read
       id-token: write
     steps:
       - name: Checkout Code

.github/workflows/release-nightly.yml

@@ -9,6 +9,9 @@ on:
   workflow_dispatch:
     # Allow this workflow to be run on-demand
 
+permissions:
+  contents: read
+
 jobs:
   build_core:
     name: Build
@@ -59,6 +62,7 @@ jobs:
     needs: [get-nightly-version, build_core]
     runs-on: ubuntu-22.04
     permissions:
+      contents: read
       id-token: write
     steps:
       - name: Checkout Code

.github/workflows/test-analysis.yml

@@ -5,6 +5,9 @@ on:
     # Make this a reusable workflow, no value needed
     # https://docs.github.com/en/actions/using-workflows/reusing-workflows
 
+permissions:
+  contents: read
+
 jobs:
   analysis_test:
     name: (${{ matrix.os }}.${{ matrix.node }})

.github/workflows/test-bundlers.yml

@@ -5,6 +5,9 @@ on:
     # Make this a reusable workflow, no value needed
     # https://docs.github.com/en/actions/using-workflows/reusing-workflows
 
+permissions:
+  contents: read
+
 jobs:
   bundler_tests:
     name: Verify Bundlers

.github/workflows/test-component-starter.yml

@@ -5,6 +5,9 @@ on:
     # Make this a reusable workflow, no value needed
     # https://docs.github.com/en/actions/using-workflows/reusing-workflows
 
+permissions:
+  contents: read
+
 jobs:
   analysis_test:
     name: (${{ matrix.os }}.node-${{ matrix.node }}.jest-${{ matrix.jest }})

.github/workflows/test-copytask.yml

@@ -5,13 +5,16 @@ on:
     # Make this a reusable workflow, no value needed
     # https://docs.github.com/en/actions/using-workflows/reusing-workflows
 
+permissions:
+  contents: read
+
 jobs:
   bundler_tests:
     name: Verify Copy Task
     runs-on: 'ubuntu-22.04'
     steps:
       - name: Checkout Code
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Get Core Dependencies
         uses: ./.github/workflows/actions/get-core-dependencies