Add permission matrices to all Actions workflows (#23563)

* Add permission matrices to all Actions workflows

Also cleanup a few token references

* Add actions:read permissions for CodeQL

* Add prs:read permissions for unit test workflow

Author: JamesMGreene

.github/workflows/60-days-stale-check.yml

@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '40 16 * * *' # Run each day at 16:40 UTC / 8:40 PST
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'

.github/workflows/add-review-template.yml

@@ -9,6 +9,9 @@ on:
     types:
       - labeled
 
+permissions:
+  contents: read
+
 jobs:
   comment-that-approved:
     name: Add review template

.github/workflows/auto-label-prs.yml

@@ -7,6 +7,10 @@ name: Auto label Pull Requests
 on:
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   triage:
     if: github.repository == 'github/docs-internal'

.github/workflows/autoupdate-branch.yml

@@ -24,6 +24,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   autoupdate:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'

.github/workflows/browser-test.yml

@@ -22,6 +22,9 @@ on:
       # Ultimately, for debugging this workflow itself
       - .github/workflows/browser-test.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/check-all-english-links.yml

@@ -9,6 +9,10 @@ on:
   schedule:
     - cron: '40 19 * * *' # once a day at 19:40 UTC / 11:40 PST
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   check_all_english_links:
     name: Check all links

.github/workflows/check-broken-links-github-github.yml

@@ -9,6 +9,9 @@ on:
   schedule:
     - cron: '20 13 * * 1' # run every Monday at 1:20PM UTC
 
+permissions:
+  contents: read
+
 # **IMPORTANT:** Do not change the FREEZE environment variable set here!
 # This workflow runs on a recurring basis. To temporarily disable it (e.g.,
 # during a docs deployment freeze), add an Actions Secret to the repo settings

.github/workflows/check-for-spammy-issues.yml

@@ -7,6 +7,10 @@ name: Check for Spammy Issues
 on:
   issues:
     types: [opened]
+
+permissions:
+  contents: none
+
 jobs:
   spammy-title-check:
     name: Remove issues with spammy titles

.github/workflows/code-lint.yml

@@ -4,9 +4,6 @@ name: Lint code
 # **Why we have it**: We want some level of consistency to our code.
 # **Who does it impact**: Docs engineering, open-source engineering contributors.
 
-permissions:
-  contents: read
-
 on:
   workflow_dispatch:
   push:
@@ -26,6 +23,9 @@ on:
       # Ultimately, for debugging this workflow itself
       - .github/workflows/code-lint.yml
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -15,6 +15,10 @@ on:
       - '**/*.js'
       - '.github/workflows/codeql.yml'
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   build:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'