Check affect of changing default workflow permissions to match GitHub's security recommendations

[t-will-gillis]

Overview

We need to change the permissions for the default GITHUB_TOKEN from read/write to read only per GitHub's recommendation for security best practice.

Details

Before proceeding, read the explainer below.

We need to audit each of our workflows to identify exactly what permissions are needed at each level of the workflow, i.e. overall, job-level, and step-level.
This issue has three objectives:

• First, we will reduce the permissions of the default GITHUB_TOKEN.
  • At the top level of each workflow's YAML explicitly state the default token's permissions:

    # Set defaults for GITHUB_TOKEN 
    permissions:  
      contents: read  
      issues: read

  • Next, we will analyze and test each workflow to check whether additional permissions are required at the step-level to ensure each workflow functions as expected, and note whether the permission requires a PAT.
• This information will be itemized on a spreadsheet for each step of each workflow.
• see additional comments and "Permissions audit" following

TODO

• after completion of all, reduce default permissions at bottom of https://github.com/hackforla/website/settings/actions
• three action items from Security audit
  • admin:org_hook on HACKFORLA_BOT_PA_TOKEN and HACKFORLA_ADMIN_TOKEN — No workflow creates, updates, or deletes webhooks. This scope appears unused on both tokens and can likely be removed after testing.
  • repo vs public_repo on HACKFORLA_GRAPHQL_TOKEN — repo grants full access including private repos. If all targeted repos are public, this could be narrowed to public_repo. Requires testing to confirm no operation depends on the broader scope.
  • pr-verification.yml — pull_request_target without a repository guard — This is the only pull_request_target workflow and has no if: github.repository == 'hackforla/website' guard. Practical risk is low (HACKFORLA_ADMIN_TOKEN is not available in fork secret stores), but the pattern is inconsistent with other workflows.

Action Items

• Bug fixes to "Member Activity Trigger" workflow- unexpected/ edge cases #8323
• Review Permissions for the "Issue Trigger" workflow #8336
• Review permissions for "Add Update Label Weekly" workflow #8576
• Specify default permissions for check-closed-issue-for-linked-pr.yml #8579
• Specify default permissions for codeql-create-issues.yml #8580
• Specify default permissions for codeql.yml #8581
• Specify default permissions for flag-issues-unlabeled-after-deletion.yml #8582
• Specify default permissions for lint-scss.yml #8583
• Specify default permissions for move-closed-issues.yaml #8584
• Specify default permissions for pr-verification.yml #8585
• Specify default permissions for schedule-daily-1100.yml #8586
• Specify default permissions for update-label-directory.yml and flag-issues-unlabeled-after-deletion.yml #8587
• Specify default permissions for vrms-data.yml #8588
• Specify default permissions for pr-instructions.yml and wr-pr-instructions.yml #8589
• Specify default permissions for pull-request-trigger.yml and wr-pull-request-trigger.yml #8590
• Specify default permissions for schedule-monthly.yml and wr-schedule-monthly.yml #8591
• Specify default permissions for set-pr-labels.yaml and wr-set-pr-labels.yaml #8592

Resources/Instructions

• Additional Notes for GitHub Actions
• Tokens, Secrets, Scopes, & Permissions
• GitHub Automatic token authentication
• Initiated by ER: Create Epic to address GitHub permissions vulnerabilities #6649

[HackforLABot]

Hi @t-will-gillis, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)