Add explicit permissions to workflows

Signed-off-by: Derek Nola <derek.nola@suse.com>

.github/workflows/build-k3s.yaml

@@ -8,6 +8,9 @@ on:
       required: false
       default: false
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build

.github/workflows/cgroup.yaml

@@ -19,6 +19,10 @@ on:
       - ".github/**"
       - "!.github/workflows/cgroup.yaml"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   prep:
     name: "Prepare"

.github/workflows/epic.yaml

@@ -2,10 +2,16 @@ name: Update epics
 on:
   issues:
     types: [opened, closed, reopened]
+
+permissions:
+  contents: read
+
 jobs:
   epics:
     runs-on: ubuntu-latest
     name: Update epic issues
+    permissions:
+      issues: read | write
     steps:
       - name: Run epics action
         uses: cloudaper/epics-action@v1

.github/workflows/install.yaml

@@ -12,6 +12,10 @@ on:
       - "install.sh"
       - "tests/install/**"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build

.github/workflows/integration.yaml

@@ -19,6 +19,10 @@ on:
       - ".github/**"
       - "!.github/workflows/integration.yaml"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: ./.github/workflows/build-k3s.yaml

.github/workflows/nightly-install.yaml

@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "0 0 * * 1-5"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Smoke Test"

.github/workflows/snapshotter.yaml

@@ -19,6 +19,10 @@ on:
       - ".github/**"
       - "!.github/workflows/snapshotter.yaml"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   prep:
     name: "Prepare"

.github/workflows/unitcoverage.yaml

@@ -21,6 +21,10 @@ on:
       - ".github/**"
       - "!.github/workflows/unitcoverage.yaml"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Unit Tests