Merge pull request #20468 from sashashura/patch-1

GitHub Workflows security hardening

.github/workflows/ci.yml

@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   inspect-code:
     name: Code Quality

.github/workflows/report-nunit.yml

@@ -8,8 +8,12 @@ on:
     workflows: ["Continuous Integration"]
     types:
       - completed
+permissions: {}
 jobs:
   annotate:
+    permissions:
+      checks: write # to create checks (dorny/test-reporter)
+
     name: Annotate CI run with test results
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion != 'cancelled' }}

.github/workflows/sentry-release.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   sentry_release:
     runs-on: ubuntu-latest