Added default WF permission to read-only (#236)

* Added default WF permission to read-only

* set least privilege

Author: soumeh01

.github/workflows/codeql.yml

@@ -9,10 +9,7 @@ on:
       - main
 
 permissions:
-  actions: read
-  checks: write
   contents: read
-  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -22,6 +19,11 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: read
+      security-events: write
 
     steps:
       - name: Harden the runner (Audit all outbound calls)

.github/workflows/markdown.yml

@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   linter:
     name: Lint Markdown Files

.github/workflows/mkdocs.yml

@@ -5,8 +5,7 @@ on:
       - '.github/workflows/mkdocs.yml'
       - 'docs/**/*'
   push:
-    branches:
-      main
+    branches: [ main ]
     paths:
       - '.github/workflows/mkdocs.yml'
       - 'docs/**/*'

.github/workflows/scorecard.yml

@@ -11,8 +11,8 @@ on:
   push:
     branches: [ "main" ]
 
-# Declare default permissions as read-only.
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis: