[StepSecurity] ci: Harden GitHub Actions (#305)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

.github/workflows/dco.yml

@@ -5,8 +5,13 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   dco_check:
+    permissions:
+      pull-requests: read  # for tim-actions/get-pr-commits to get list of commits from the PR
     runs-on: ubuntu-latest
     name: DCO Check
     steps:

.github/workflows/doc-only.yml

@@ -12,6 +12,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     name: verify

.github/workflows/e2e.yml

@@ -16,6 +16,9 @@ env:
   GO_VERSION: '1.20'
   GO_REQUIRED_MIN_VERSION: ''
 
+permissions:
+  contents: read
+
 jobs:
   e2e:
     runs-on: ubuntu-latest

.github/workflows/post.yml

@@ -16,6 +16,9 @@ env:
   GO_VERSION: '1.20'
   GO_REQUIRED_MIN_VERSION: ''
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     name: coverage

.github/workflows/pr-verify.yml

@@ -8,6 +8,9 @@ on:
   pull_request_target:
     types: [opened, edited, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     name: verify PR contents

.github/workflows/pre.yml

@@ -16,6 +16,9 @@ env:
   GO_VERSION: '1.20'
   GO_REQUIRED_MIN_VERSION: ''
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     name: verify

.github/workflows/releaseimage.yml

@@ -15,6 +15,9 @@ defaults:
   run:
     working-directory: go/src/open-cluster-management.io/ocm
 
+permissions:
+  contents: read
+
 jobs:
   env:
     name: prepare release env

.github/workflows/stable.yaml

@@ -5,8 +5,14 @@ on:
 
 # `stable` label will be added to issues and PRs that have been inactive for 120 days
 # Close stale issues and PRs after 14 days of inactivity
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v8