From d2c4b69f47b384aa4d52e203631d23accdcea6a7 Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Thu, 16 Feb 2023 16:16:54 +0800
Subject: [PATCH] GHA CI: use least permission level

`actions: write` is required by Chocobo1/setup-ccache-action.
`pull-requests: write` is required by actions/stale.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
---
 .github/workflows/ci_file_health.yaml | 2 ++
 .github/workflows/ci_macos.yaml       | 3 +++
 .github/workflows/ci_ubuntu.yaml      | 3 +++
 .github/workflows/ci_webui.yaml       | 2 ++
 .github/workflows/ci_windows.yaml     | 3 +++
 .github/workflows/coverity-scan.yml   | 2 ++
 .github/workflows/stale_bot.yaml      | 3 +++
 7 files changed, 18 insertions(+)

diff --git a/.github/workflows/ci_file_health.yaml b/.github/workflows/ci_file_health.yaml
index a46290f53..eb151513c 100644
--- a/.github/workflows/ci_file_health.yaml
+++ b/.github/workflows/ci_file_health.yaml
@@ -2,6 +2,8 @@ name: CI - File health
 
 on: [pull_request, push]
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}
diff --git a/.github/workflows/ci_macos.yaml b/.github/workflows/ci_macos.yaml
index d15af6157..9559d5daa 100644
--- a/.github/workflows/ci_macos.yaml
+++ b/.github/workflows/ci_macos.yaml
@@ -2,6 +2,9 @@ name: CI - macOS
 
 on: [pull_request, push]
 
+permissions:
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}
diff --git a/.github/workflows/ci_ubuntu.yaml b/.github/workflows/ci_ubuntu.yaml
index 053077ef4..fb522bb8a 100644
--- a/.github/workflows/ci_ubuntu.yaml
+++ b/.github/workflows/ci_ubuntu.yaml
@@ -2,6 +2,9 @@ name: CI - Ubuntu
 
 on: [pull_request, push]
 
+permissions:
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}
diff --git a/.github/workflows/ci_webui.yaml b/.github/workflows/ci_webui.yaml
index 18d0e985c..335cfe6ad 100644
--- a/.github/workflows/ci_webui.yaml
+++ b/.github/workflows/ci_webui.yaml
@@ -2,6 +2,8 @@ name: CI - WebUI
 
 on: [pull_request, push]
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}
diff --git a/.github/workflows/ci_windows.yaml b/.github/workflows/ci_windows.yaml
index bca52a8e1..611c1cc2a 100644
--- a/.github/workflows/ci_windows.yaml
+++ b/.github/workflows/ci_windows.yaml
@@ -2,6 +2,9 @@ name: CI - Windows
 
 on: [pull_request, push]
 
+permissions:
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}
diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml
index ad243a915..22fbc478e 100644
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@@ -5,6 +5,8 @@ on:
     - cron: '0 0 1 * *' # Monthly (1st day of month at midnight)
   workflow_dispatch: # Mainly for testing. Don't forget the Coverity usage limits.
 
+permissions: {}
+
 jobs:
   coverity_scan:
     name: Scan
diff --git a/.github/workflows/stale_bot.yaml b/.github/workflows/stale_bot.yaml
index 4cb991b87..93fad6070 100644
--- a/.github/workflows/stale_bot.yaml
+++ b/.github/workflows/stale_bot.yaml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest