[StepSecurity] ci: Harden GitHub Actions (#4551)

Signed-off-by: StepSecurity Bot <[email protected]>

Author: step-security-bot

.github/workflows/check_amalgamation.yml

@@ -3,6 +3,9 @@ name: "Check amalgamation"
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   save:
     runs-on: ubuntu-latest

.github/workflows/cifuzz.yml

@@ -1,6 +1,9 @@
 name: CIFuzz
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
 

.github/workflows/comment_check_amalgamation.yml

@@ -5,6 +5,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   comment:
     if: ${{ github.event.workflow_run.conclusion == 'failure' }}

.github/workflows/dependency-review.yml

@@ -9,6 +9,9 @@
 name: 'Dependency Review'
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest

.github/workflows/labeler.yml

@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   label:
     permissions:

.github/workflows/macos.yml

@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 # macos-11 is deprecated
 #  macos-11:

.github/workflows/publish_documentation.yml

@@ -15,6 +15,9 @@ concurrency:
   group: documentation
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   publish_documentation:
     permissions:

.github/workflows/scorecards.yml

@@ -14,6 +14,9 @@ on:
   push:
     branches: ["develop"]
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     name: Scorecard analysis