chore: use minimal permissions for workflows (coder#422)

jawnsy · web-flow · commit 07f59d8210a3 · 2021-06-21T11:08:43.000-07:00
* Restrict GITHUB_TOKEN for Quality workflow to metadata (read)
  and file contents (read)
* Restrict GITHUB_TOKEN for Preview workflow to metadata (read),
  file contents (read), and pull request (read/write)
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -11,6 +11,18 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/preview.yaml b/.github/workflows/preview.yaml
@@ -5,6 +5,18 @@ on:
     branches:
       - main
 
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   preview:
     name: Preview
