fix: repair workflow permissions (CKV2_GHA_1) (#252)

* fix: repair workflow permissions (CKV2_GHA_1) ferrarimarco/dotfiles@7695d832ed4
* style: apply Prettier

Author: LucasLarson

.github/workflows/changelog.yml

@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -87,4 +90,3 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN || secrets.PAT }}
           branch: ${{ github.ref }}
-...

.github/workflows/codeql-analysis.yml

@@ -10,9 +10,12 @@ on:
     #        │  │ ┌───── day of the month (1 - 31)
     #        │  │ │ ┌─── month (1 - 12 or JAN-DEC)
     #        │  │ │ │ ┌─ day of the week (0 - 6 or SUN-SAT)
-    - cron: '30 1 * * 0'
+    - cron: "30 1 * * 0"
     # Sunday at 1:30am UTC
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
     # CodeQL runs on `ubuntu-latest`, `windows-latest`, and `macos-latest`
@@ -38,4 +41,3 @@ jobs:
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
-...

.github/workflows/cpp.yml

@@ -13,9 +13,11 @@ on:
   schedule:
     - cron: "0 14 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   build:
-
     runs-on: macos-latest
 
     steps:
@@ -29,4 +31,3 @@ jobs:
           -fdiagnostics-print-source-range-info -fdiagnostics-show-option \
           -fshow-source-location -ftime-report \
           ./*.cpp -o HQ9+
-...

.github/workflows/flawfinder.yml

@@ -13,7 +13,10 @@ on:
     # The branches below must be a subset of the branches above
     branches: ["main"]
   schedule:
-    - cron: '20 23 * * 1'
+    - cron: "20 23 * * 1"
+
+permissions:
+  contents: read
 
 jobs:
   flawfinder:
@@ -30,11 +33,10 @@ jobs:
       - name: flawfinder_scan
         uses: david-a-wheeler/[email protected]
         with:
-          arguments: '--sarif ./'
-          output: 'flawfinder_results.sarif'
+          arguments: "--sarif ./"
+          output: "flawfinder_results.sarif"
 
       - name: Upload analysis results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{github.workspace}}/flawfinder_results.sarif
-...

.github/workflows/jsonlint.yml

@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   format-json:
     name: Format JSON files and create a pull request
@@ -97,4 +100,3 @@ jobs:
           labels: enhancement, github_actions
           branch: format-json
           base: ${{ github.head_ref }}
-...

.github/workflows/shellcheck-markdown.yml

@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -92,4 +95,3 @@ jobs:
             ./codesnippets_code \
             "$0" ||
             exit 1
-...

.github/workflows/super-linter.yml

@@ -17,6 +17,12 @@ name: Super-Linter
 on:
   push:
 
+############################
+# Ensure safer permissions #
+############################
+permissions:
+  contents: read
+
 ###############
 # Set the Job #
 ###############
@@ -49,4 +55,3 @@ jobs:
           VALIDATE_ALL_CODEBASE: false
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-...