added permission to workflows

.github/workflows/ci.yaml

@@ -20,6 +20,8 @@ jobs:
     strategy:
       matrix:
         node-version: [16.x, 18.x]
+    permissions:
+      pull-requests: read
     steps:
     - uses: actions/checkout@v3
     - name: Use Node.js ${{ matrix.node-version }}
@@ -34,6 +36,8 @@ jobs:
     strategy:
       matrix:
         node-version: [16.x, 18.x]
+    permissions:
+      pull-requests: read
     steps:
     - uses: actions/checkout@v3
     - name: Use Node.js ${{ matrix.node-version }}
@@ -62,6 +66,10 @@ jobs:
     strategy:
       matrix:
         node-version: [16.x, 18.x]
+    permissions:
+      statuses: write
+      pull-requests: write
+      packages: read
     steps:
     - uses: actions/checkout@v3
     - name: Use Node.js ${{ matrix.node-version }}
@@ -76,6 +84,10 @@ jobs:
     strategy:
       matrix:
         node-version: [16.x, 18.x]
+    permissions:
+      statuses: write
+      pull-requests: write
+      packages: read
     steps:
     - uses: actions/checkout@v3
     - name: Use Node.js ${{ matrix.node-version }}
@@ -90,7 +102,7 @@ jobs:
       with:
         firefox-version: latest
     - name: Download geckodriver
-      env: 
+      env:
         GECKODRIVER_VERSION: v0.33.0
       run: curl -sL https://github.com/mozilla/geckodriver/releases/download/${{env.GECKODRIVER_VERSION}}/geckodriver-${{env.GECKODRIVER_VERSION}}-linux64.tar.gz | tar xzvf -
     - name: Add to PATH

.github/workflows/dependent-issues.yml

@@ -20,6 +20,10 @@ on:
 
 jobs:
   check:
+    permissions:
+      issues: write
+      pull-requests: write
+      statuses: write
     runs-on: ubuntu-latest
     steps:
       - uses: z0al/dependent-issues@v1

.github/workflows/image-cleanup.yml

@@ -9,12 +9,14 @@ jobs:
   delete-images:
     name: Delete PR-scoped test images
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: r26d/[email protected]
         with:
           owner: ${{ github.repository_owner }}
           name: cryostat-web
-          token: ${{ secrets.GHCR_PR_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           ignore-missing-package: true
           tag-regex: pr-${{ github.event.number }}-.*
           tagged-keep-latest: 0

.github/workflows/labeler.yml

@@ -2,7 +2,7 @@ name: Label pull request
 
 on:
   pull_request_target:
-    types: 
+    types:
       - opened
       - reopened
 

.github/workflows/linked-issue.yml

@@ -11,6 +11,8 @@ on:
 jobs:
   verify-linked-issue:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
     name: Verify Pull Request references Issue
     steps:

.github/workflows/pr-ci.yml

@@ -43,7 +43,7 @@ jobs:
               repo,
               comment_id: context.payload.comment.id,
               content: "+1",
-            });  
+            });
 
   checkout-branch:
     runs-on: ubuntu-latest

.github/workflows/pr-labeled.yml

@@ -11,6 +11,8 @@ on:
 jobs:
   check-pr-label-and-comment:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: yashhy/[email protected]
         with:

.github/workflows/release-drafter.yml

@@ -16,6 +16,8 @@ on:
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "main"
       - uses: release-drafter/release-drafter@v5

.github/workflows/semantic-pr.yml

@@ -11,6 +11,9 @@ on:
 jobs:
   main:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      statuses: write
     steps:
       - uses: amannn/[email protected]
         env: