GitHub Workflows security hardening (#7629)

* build: harden push.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden deployment.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden pr.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>

.github/workflows/deployment.yml

@@ -5,8 +5,12 @@ on:
     tags:
       - 'v*'
 
+permissions: {}
 jobs:
   deploy:
+    permissions:
+      contents: write # for release creation (svenstaro/upload-release-action)
+
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/pr.yml

@@ -2,6 +2,9 @@ name: Pull Request Tests
 
 on: [pull_request, workflow_dispatch]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   testPR:
     runs-on: ubuntu-latest

.github/workflows/push.yml

@@ -2,8 +2,12 @@ name: Tests
 
 on: [push, workflow_dispatch]
 
+permissions: {}
 jobs:
   runPush:
+    permissions:
+      contents: write # for Update bundles
+
     runs-on: ubuntu-latest
 
     steps: