fix(workflows): assign explicit permissions (#38017)

Also documents what they are used for.

.github/workflows/auto-cleanup-bot.yml

@@ -5,6 +5,10 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+# We use AUTOMERGE_TOKEN to create the PR.
+permissions: {}
+
 jobs:
   fix:
     if: github.repository == 'mdn/content'

.github/workflows/auto-merge.yml

@@ -3,6 +3,9 @@ name: auto-merge
 on:
   pull_request_target:
 
+# No GITHUB_TOKEN permissions, as we use AUTOMERGE_TOKEN instead.
+permissions: {}
+
 jobs:
   auto-merge:
     runs-on: ubuntu-latest

.github/workflows/idle-issues.yml

@@ -3,6 +3,12 @@ on:
   schedule:
     - cron: "49 11,23 * * *"
 
+permissions:
+  # Label issues.
+  issues: write
+  # Label pull requests.
+  pull-requests: write
+
 jobs:
   idle:
     uses: mdn/workflows/.github/workflows/idle.yml@main

.github/workflows/interfacedata-updater.yml

@@ -6,6 +6,9 @@ on:
     - cron: "0 0 * * 6"
   workflow_dispatch:
 
+# No GITHUB_TOKEN permissions, as we use AUTOMERGE_TOKEN instead.
+permissions: {}
+
 jobs:
   update:
     if: github.repository == 'mdn/content'

.github/workflows/issue-regex-labeler.yml

@@ -3,6 +3,10 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  # Label issues.
+  issues: write
+
 jobs:
   issue-labeler:
     runs-on: ubuntu-latest

.github/workflows/lock-closed.yml

@@ -3,6 +3,14 @@ on:
   schedule:
     - cron: "0 9 1 * *"
 
+permissions:
+  # Lock discussions.
+  discussions: write
+  # Lock issues.
+  issues: write
+  # Lock pull requests.
+  pull-requests: write
+
 jobs:
   lock:
     uses: mdn/workflows/.github/workflows/lock-closed.yml@main

.github/workflows/markdown-lint.yml

@@ -13,6 +13,9 @@ on:
       - .github/workflows/markdown-lint.yml
       - .github/workflows/markdownlint-problem-matcher.json
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   docs:
     runs-on: ubuntu-latest

.github/workflows/new-issues.yml

@@ -6,6 +6,10 @@ on:
       - reopened
       - opened
 
+permissions:
+  # Label issues.
+  issues: write
+
 jobs:
   label-new-issues:
     runs-on: ubuntu-latest

.github/workflows/ping-other-repos.yml

@@ -11,6 +11,10 @@ name: Ping other repos
 on:
   push:
     branches: [main]
+
+# No GITHUB_TOKEN permissions, as we use REPO_PINGER_MDN_SPEC_LINKS.
+permissions: {}
+
 jobs:
   ping:
     # Don't run in forks, or when Dependabot merges a PR.

.github/workflows/pr-check-lint_content.yml

@@ -10,6 +10,7 @@ on:
       - "files/**/*.md"
 
 permissions:
+  # Compare commits and add reviewdog comments.
   pull-requests: write
 
 concurrency:

.github/workflows/pr-check_cspell_lists.yml

@@ -7,6 +7,9 @@ on:
     paths:
       - .vscode/dictionaries/*
 
+# No GITHUB_TOKEN permissions, as we don't use it.
+permissions: {}
+
 jobs:
   docs:
     runs-on: ubuntu-latest

.github/workflows/pr-check_javascript.yml

@@ -10,6 +10,9 @@ on:
       - "**/*.mjs"
       - .github/workflows/pr-check_javascript.yml
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   lint-js:
     runs-on: ubuntu-latest

.github/workflows/pr-check_json.yml

@@ -10,6 +10,9 @@ on:
       - "**/*.jsonc"
       - .github/workflows/pr-check_json.yml
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   lint-json:
     runs-on: ubuntu-latest

.github/workflows/pr-check_redirects.yml

@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   check-redirects:
     runs-on: ubuntu-latest

.github/workflows/pr-check_scripts.yml

@@ -10,6 +10,9 @@ on:
       - yarn.lock
       - .github/workflows/pr-check_scripts.yml
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   up-to-date-check:
     runs-on: ubuntu-latest

.github/workflows/pr-check_url-issues.yml

@@ -7,6 +7,9 @@ on:
     paths:
       - "files/**/*.md"
 
+# No GITHUB_TOKEN permissions, as we don't use it.
+permissions: {}
+
 jobs:
   check_url_issues:
     #if: github.repository == 'mdn/content'

.github/workflows/pr-check_yml.yml

@@ -10,6 +10,9 @@ on:
       - "**/*.yml"
       - .github/workflows/pr-check_yml.yml
 
+# No GITHUB_TOKEN permissions, as we only use it to increase API limit.
+permissions: {}
+
 jobs:
   lint-yml:
     runs-on: ubuntu-latest

.github/workflows/pr-labeler.yml

@@ -4,8 +4,11 @@ on:
   - pull_request_target
 
 permissions:
+  # Patch issues, see: https://github.com/CodelyTV/pr-size-labeler/pull/89
   issues: write
+  # Label pull requests.
   pull-requests: write
+  # Fetch files (used by actions/labeler to get config).
   contents: read
 
 jobs:

.github/workflows/pr-rebase-needed.yml

@@ -5,6 +5,10 @@ on:
   pull_request_target:
     types: [synchronize]
 
+permissions:
+  # Label pull requests.
+  pull-requests: write
+
 jobs:
   label-rebase-needed:
     uses: mdn/workflows/.github/workflows/pr-rebase-needed.yml@main

.github/workflows/pr-review-companion.yml

@@ -11,6 +11,12 @@ on:
     types:
       - completed
 
+permissions:
+  # Download artifact.
+  actions: read
+  # Post comment in pull request.
+  pull-requests: write
+
 jobs:
   review:
     runs-on: ubuntu-latest

.github/workflows/pr-test-legacy.yml

@@ -11,13 +11,14 @@ on:
     branches:
       - main
 
+permissions:
+  # Compare two commits.
+  contents: read
+
 jobs:
   tests:
     if: github.repository == 'mdn/content'
     runs-on: ubuntu-latest
-    # Set the permissions to `read-all`, preventing the workflow from
-    # any accidental write access to the repository.
-    permissions: read-all
     env:
       BASE_SHA: ${{ github.event.pull_request.base.sha }}
       HEAD_SHA: ${{ github.event.pull_request.head.sha }}

.github/workflows/pr-test.yml

@@ -11,13 +11,14 @@ on:
     branches:
       - main
 
+permissions:
+  # Compare two commits.
+  contents: read
+
 jobs:
   tests:
     if: github.repository == 'mdn/content'
     runs-on: ubuntu-latest
-    # Set the permissions to `read-all`, preventing the workflow from
-    # any accidental write access to the repository.
-    permissions: read-all
     env:
       BASE_SHA: ${{ github.event.pull_request.base.sha }}
       HEAD_SHA: ${{ github.event.pull_request.head.sha }}

.github/workflows/spelling-check-bot.yml

@@ -5,6 +5,10 @@ on:
     - cron: "0 0 * * mon"
   workflow_dispatch:
 
+permissions:
+  # Create issue.
+  issues: write
+
 jobs:
   sync:
     if: github.repository == 'mdn/content'

.github/workflows/system-file-changes.yml

@@ -10,6 +10,9 @@ on:
       - package.json
       - yarn.lock
 
+# No GITHUB_TOKEN permissions, as we don't use it.
+permissions: {}
+
 jobs:
   block:
     # This makes sure it only runs on our origin repo