ci: set explicit strict permissions

Signed-off-by: Chawye Hsu <su+git@chawyehsu.com>

Author: chawyehsu

.github/workflows/ci.yml

@@ -5,6 +5,9 @@ on:
   push:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
@@ -26,6 +29,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ScoopInstaller/Scoop
+          ref: 'develop'
           path: 'scoop_core'
       - name: Install and cache test dependencies
         uses: potatoqualitee/psmodulecache@ee5e9494714abf56f6efbfa51527b2aec5c761b8 # v6.2.1

.github/workflows/excavator.yml

@@ -1,16 +1,23 @@
+name: Excavator
+
 on:
   workflow_dispatch:
   schedule:
     - cron: '0 */4 * * *'
-name: Excavator
+
+permissions:
+  contents: write
+
 jobs:
   excavate:
     name: Excavate
     runs-on: windows-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Checkout
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Excavate
       uses: ScoopInstaller/GithubActions@main
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SKIP_UPDATED: '1'
+        SCOOP_BRANCH: develop

.github/workflows/issue_comment.yml

@@ -1,15 +1,23 @@
+name: Commented Pull Request
+
 on:
   issue_comment:
     types: [ created ]
-name: Commented Pull Request
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   pullRequestHandler:
     name: PullRequestHandler
     runs-on: windows-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Checkout
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: PullRequestHandler
       uses: ScoopInstaller/GithubActions@main
       if: startsWith(github.event.comment.body, '/verify')
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SCOOP_BRANCH: develop

.github/workflows/issues.yml

@@ -1,15 +1,23 @@
+name: Issues
+
 on:
   issues:
     types: [ opened, labeled ]
-name: Issues
+
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   issueHandler:
     name: IssueHandler
     runs-on: windows-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Checkout
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: IssueHandler
       uses: ScoopInstaller/GithubActions@main
       if: github.event.action == 'opened' || (github.event.action == 'labeled' && contains(github.event.issue.labels.*.name, 'verify'))
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SCOOP_BRANCH: develop

.github/workflows/pull_request.yml

@@ -1,14 +1,22 @@
+name: Pull Requests
+
 on:
   pull_request:
     types: [ opened ]
-name: Pull Requests
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   pullRequestHandler:
     name: PullRequestHandler
     runs-on: windows-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Checkout
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: PullRequestHandler
       uses: ScoopInstaller/GithubActions@main
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SCOOP_BRANCH: develop