ci: restrict permissions

.github/workflows/test.yml

@@ -4,6 +4,9 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:

new-package/github/workflows/test.yml

@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 

test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml

@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 

test/run-snapshots/elm-review-something/.github/workflows/test.yml

@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest