ci: set minimal permissions to github workflows (#4665)

* set ci.yml minimal permissions

Signed-off-by: Joyce <joycebrum@google.com>

* set configure.yml minimal permissions

Signed-off-by: Joyce <joycebrum@google.com>

* set format.yml minimal permissions

Signed-off-by: Joyce <joycebrum@google.com>

* set pip.yml minimal permissions

Signed-off-by: Joyce <joycebrum@google.com>

* set upstream.yml minimal permissions

Signed-off-by: Joyce <joycebrum@google.com>

* set labeler.yml minimal permissions

Signed-off-by: Joyce <joycebrum@google.com>

* Update ci.yml to read all

Signed-off-by: Joyce <joycebrum@google.com>

* test labeler.yml

Signed-off-by: Joyce <joycebrum@google.com>

* restore the if at labeler.yml

Signed-off-by: Joyce <joycebrum@google.com>

---------

Signed-off-by: Joyce <joycebrum@google.com>

.github/workflows/ci.yml

@@ -9,6 +9,8 @@ on:
       - stable
       - v*
 
+permissions: read-all
+
 concurrency:
   group: test-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/configure.yml

@@ -9,6 +9,9 @@ on:
       - stable
       - v*
 
+permissions:
+  contents: read
+
 env:
   # For cmake:
   VERBOSE: 1

.github/workflows/format.yml

@@ -12,6 +12,9 @@ on:
     - stable
     - "v*"
 
+permissions:
+  contents: read
+
 env:
   FORCE_COLOR: 3
   # For cmake:

.github/workflows/labeler.yml

@@ -3,10 +3,15 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions: {}
+
 jobs:
   label:
     name: Labeler
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
 
     - uses: actions/labeler@main

.github/workflows/pip.yml

@@ -12,6 +12,9 @@ on:
     types:
     - published
 
+permissions:
+  contents: read
+
 env:
   PIP_ONLY_BINARY: numpy
 

.github/workflows/upstream.yml

@@ -5,6 +5,9 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: upstream-${{ github.ref }}
   cancel-in-progress: true