From edc92d1d37634b6cd77556ad2b7d621a405f8888 Mon Sep 17 00:00:00 2001
From: Charles Lyding <19598772+clydin@users.noreply.github.com>
Date: Fri, 11 Feb 2022 10:29:39 -0500
Subject: [PATCH] build: add permissions to current github action workflows

The currently recommended best practice for Github action workflows is to set top-level permissions to read only. And if the job uses the automatic `GITHUB_TOKEN`, fine-grained permissions for each job based on the job's requirements should also be added.
All existing workflows in the repository now have top-level read only permission blocks.
Only the `scorecard` workflow currently requires additional job level permissions and the minimum set of permissions were already present for the job.

(cherry picked from commit b8c8cc411363693e1d9496bd9508501ed024936f)
---
 .github/workflows/dev-infra.yml        | 4 ++++
 .github/workflows/feature-requests.yml | 4 ++++
 .github/workflows/lock-closed.yml      | 4 ++++
 .github/workflows/scorecard.yml        | 3 ++-
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dev-infra.yml b/.github/workflows/dev-infra.yml
index d2ad3c9ce350..5a419de953f5 100644
--- a/.github/workflows/dev-infra.yml
+++ b/.github/workflows/dev-infra.yml
@@ -1,5 +1,9 @@
 name: DevInfra
 
+# Declare default permissions as read only.
+permissions:
+  contents: read
+
 on:
   pull_request_target:
     types: [opened, synchronize, reopened]
diff --git a/.github/workflows/feature-requests.yml b/.github/workflows/feature-requests.yml
index 7ae70b11407d..dd04168b5b93 100644
--- a/.github/workflows/feature-requests.yml
+++ b/.github/workflows/feature-requests.yml
@@ -1,5 +1,9 @@
 name: Feature request triage bot
 
+# Declare default permissions as read only.
+permissions:
+  contents: read
+
 on:
   schedule:
     # Run at 13:00 every day
diff --git a/.github/workflows/lock-closed.yml b/.github/workflows/lock-closed.yml
index 876f03b193c7..996a0aa6462d 100644
--- a/.github/workflows/lock-closed.yml
+++ b/.github/workflows/lock-closed.yml
@@ -1,5 +1,9 @@
 name: Lock Inactive Issues
 
+# Declare default permissions as read only.
+permissions:
+  contents: read
+
 on:
   schedule:
     # Run at 08:00 every day
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 8fbf4ac3df93..596a7eafb0fb 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -8,7 +8,8 @@ on:
   workflow_dispatch:
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis: