Fix workflow permission issues. (opea-project#2018)

Signed-off-by: ZePan110 <ze.pan@intel.com>
Signed-off-by: cogniware-devops <ambarish.desai@cogniware.ai>

Author: ZePan110

.github/workflows/_example-workflow.yml

@@ -69,6 +69,22 @@ jobs:
 # Image Build
 ####################################################################################################
   build-images:
+    permissions:
+      actions: read
+      contents: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      id-token: write
+      attestations: read
+      models: read
     uses: ./.github/workflows/_build_image.yml
     with:
       node: ${{ inputs.node }}
@@ -83,6 +99,17 @@ jobs:
 # Docker Compose Test
 ####################################################################################################
   test-example-compose:
+    permissions:
+      actions: read
+      contents: read
+      checks: write
+      deployments: write
+      issues: write
+      packages: write
+      pages: write
+      pull-requests: write
+      statuses: write
+      security-events: read
     needs: [build-images]
     if: ${{ inputs.test_compose }}
     uses: ./.github/workflows/_run-docker-compose.yml
@@ -99,6 +126,8 @@ jobs:
 # helmchart Test
 ####################################################################################################
   test-helmchart:
+    permissions:
+      contents: read
     if: ${{ fromJSON(inputs.test_helmchart) }}
     uses: ./.github/workflows/_helm-e2e.yml
     with:

.github/workflows/manual-example-workflow.yml

@@ -99,6 +99,22 @@ jobs:
       opea_branch: ${{ inputs.opea_branch }}
 
   run-examples:
+    permissions:
+      actions: read
+      attestations: read
+      discussions: read
+      models: read
+      repository-projects: read
+      id-token: write
+      contents: read
+      checks: write
+      deployments: write
+      issues: write
+      packages: write
+      pages: write
+      pull-requests: write
+      statuses: write
+      security-events: read
     needs: [get-test-matrix, build-comps-base]
     strategy:
       matrix:

.github/workflows/manual-image-build.yml

@@ -66,6 +66,22 @@ jobs:
           echo "nodes=$nodes_json" >> $GITHUB_OUTPUT
 
   image-build:
+    permissions:
+      actions: read
+      attestations: read
+      discussions: read
+      models: read
+      repository-projects: read
+      id-token: write
+      contents: read
+      checks: write
+      deployments: write
+      issues: write
+      packages: write
+      pages: write
+      pull-requests: write
+      statuses: write
+      security-events: read
     needs: get-test-matrix
     if: ${{ needs.get-test-matrix.outputs.nodes != '' }}
     strategy:

.github/workflows/manual-reset-local-registry.yml

@@ -63,6 +63,22 @@ jobs:
           docker ps | grep registry
 
   build:
+    permissions:
+      actions: read
+      attestations: read
+      discussions: read
+      models: read
+      repository-projects: read
+      id-token: write
+      contents: read
+      checks: write
+      deployments: write
+      issues: write
+      packages: write
+      pages: write
+      pull-requests: write
+      statuses: write
+      security-events: read
     needs: [get-build-matrix, clean-up]
     if: ${{ needs.get-image-list.outputs.matrix != '' }}
     strategy:

.github/workflows/nightly-docker-build-publish.yml

@@ -3,7 +3,21 @@
 
 name: Nightly build/publish latest docker images
 permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
   security-events: read
+  id-token: write
+  attestations: read
+  models: read
 
 on:
   schedule:
@@ -77,20 +91,20 @@ jobs:
     needs: [get-build-matrix]
     permissions:
       actions: read
-      contents: read
-      checks: read
-      deployments: read
+      attestations: read
       discussions: read
-      issues: read
-      packages: read
-      pages: read
-      pull-requests: read
+      models: read
       repository-projects: read
-      statuses: read
-      security-events: read
       id-token: write
-      attestations: read
-      models: read
+      contents: read
+      checks: write
+      deployments: write
+      issues: write
+      packages: write
+      pages: write
+      pull-requests: write
+      statuses: write
+      security-events: read
     if: ${{ needs.get-build-matrix.outputs.examples_json != '' }}
     strategy:
       matrix:

.github/workflows/push-image-build.yml

@@ -40,6 +40,22 @@ jobs:
       test_mode: "docker_image_build"
 
   image-build:
+    permissions:
+      actions: read
+      attestations: read
+      discussions: read
+      models: read
+      repository-projects: read
+      id-token: write
+      contents: read
+      checks: write
+      deployments: write
+      issues: write
+      packages: write
+      pages: write
+      pull-requests: write
+      statuses: write
+      security-events: read
     needs: job1
     if: ${{ needs.job1.outputs.run_matrix != '{"include":[]}' }}
     strategy:

.github/workflows/weekly-example-test.yml

@@ -52,16 +52,16 @@ jobs:
       id-token: write
       actions: read
       attestations: read
-      checks: read
-      deployments: read
+      checks: write
+      deployments: write
       discussions: read
-      issues: read
+      issues: write
       models: read
-      packages: read
-      pages: read
-      pull-requests: read
+      packages: write
+      pages: write
+      pull-requests: write
       repository-projects: read
-      statuses: read
+      statuses: write
       security-events: read
     needs: [get-test-matrix, build-comps-base]
     strategy: