Scorecard: Delcare default permissions as read only except CodeQL.

.github/workflows/codeql-analysis.yml

@@ -3,6 +3,9 @@ name: "CodeQL"
 # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
 on: [push, pull_request]
 
+# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions: write-all
+
 jobs:
  analyze:
  name: actions-codeql-analyze

.github/workflows/release.yml

@@ -6,6 +6,9 @@ on:
  tags:
  - v6*
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
  envs:
  name: envs

.github/workflows/scorecard.yml

@@ -2,7 +2,8 @@
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
-name: Scorecard supply-chain security
+name: Scorecard
+
 on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
@@ -58,12 +59,12 @@ jobs:
 
  # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  # format to the repository Actions tab.
- - name: "Upload artifact"
- uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
- with:
- name: SARIF file
- path: results.sarif
- retention-days: 5
+ #- name: "Upload artifact"
+ # uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+ # with:
+ # name: SARIF file
+ # path: results.sarif
+ # retention-days: 5
 
  # Upload the results to GitHub's code scanning dashboard.
  - name: "Upload to code-scanning"

.github/workflows/test.yml

@@ -3,6 +3,9 @@ name: "Test"
 # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
 on: [push, pull_request]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 # The dependency graph:
 # test(6m)
 # multiple-arch-armv7(13m)