ci: mimic the "restricted" mode

Judging by https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token it should be enough to grant the "read contents" permission to most of our actions. The "read metadata" permission is set impliciclty somewhere and can't be set via the "permissions" setting: ``` The workflow is not valid. .github/workflows/linter.yml (Line: 14, Col: 3): Unexpected value 'metadata' ```
2024-10-14 20:17:52 +00:00 · 2021-11-13 22:34:04 +00:00 · 2021-11-13 22:34:04 +00:00 · e7a966915d
parent 10b1c3cd24
commit e7a966915d
6 changed files with 12 additions and 6 deletions
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@ -12,7 +12,8 @@ on:
      - 'src/**'
      - 'test/fuzz/**'

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build:
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@ -5,7 +5,8 @@

 name: CIFuzz

-permissions: read-all
+permissions:
+  contents: read

 on:
  pull_request:
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@ -9,7 +9,8 @@ on:
    # Run Coverity daily at midnight
    - cron:  '0 0 * * *'

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build:
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@ -10,7 +10,8 @@ on:
      - main
      - v[0-9]+-stable

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build:
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@ -14,7 +14,8 @@ on:
      - main
      - v[0-9]+-stable

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  ci:
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@ -9,7 +9,8 @@ on:
      - main
      - v[0-9]+-stable

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build: