[CI] Update all workflows with permissions (#13672)

update

Author: DN6

.github/workflows/benchmark.yml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "30 1 1,15 * *" # every 2 weeks on the 1st and the 15th of every month at 1:30 AM
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   HF_XET_HIGH_PERFORMANCE: 1

.github/workflows/build_docker_images.yml

@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   REGISTRY: diffusers
   CI_SLACK_CHANNEL: ${{ secrets.CI_DOCKER_CHANNEL }}
@@ -23,6 +26,9 @@ jobs:
     runs-on:
       group: aws-general-8-plus
     if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3

.github/workflows/build_documentation.yml

@@ -12,6 +12,9 @@ on:
       - "examples/**"
       - "docs/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@2430c1ec91d04667414e2fa31ecfc36c153ea391  # main

.github/workflows/build_pr_documentation.yml

@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-links:
     runs-on: ubuntu-latest

.github/workflows/mirror_community_pipeline.yml

@@ -20,6 +20,9 @@ on:
         required: true
         default: 'main'
 
+permissions:
+  contents: read
+
 jobs:
   mirror_community_pipeline:
     env:

.github/workflows/nightly_tests.yml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 0 * * *" # every day at midnight
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   HF_XET_HIGH_PERFORMANCE: 1

.github/workflows/notify_slack_about_release.yml

@@ -5,6 +5,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-22.04

.github/workflows/pr_dependency_test.yml

@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check_dependencies:
     runs-on: ubuntu-22.04

.github/workflows/pr_modular_tests.yml

@@ -25,6 +25,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   HF_XET_HIGH_PERFORMANCE: 1

.github/workflows/pr_test_fetcher.yml

@@ -2,6 +2,9 @@ name: Fast tests for PRs - Test Fetcher
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   OMP_NUM_THREADS: 4