This repo's automated workflows currently run with write-all tokens. This puts the project at risk of supply-chain attacks. GitHub recommends ensuring all workflows run with minimal permissions.

I've taken a look at the workflows and they don't need such broad permissions.

This issue can be solved in two ways:

• add top-level read-only permissions to all workflows; and/or
• set the default token permissions to read-only in the repo settings.

I'll be sending a PR along with this issue that sets the top-level permissions (and grants additional permissions for the jobs that need them). If you instead (or also) wish to modify the default token permissions:

1. Open the repo settings
2. Go to Actions > General
3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation to improve the supply-chain security of important open-source projects.