Set default permissions to "read-all"

Only some actions need "contents: write", set on job level.

Author: afranken

.github/workflows/codeql.yml

@@ -20,8 +20,8 @@ on:
   schedule:
     - cron: '43 21 * * 6'
 
-permissions:
-  contents: read
+# Declare default permissions as read only.
+permissions: read-all
 
 concurrency:
   group: codeql-${{ github.ref }}

.github/workflows/dependency-review.yml

@@ -9,8 +9,8 @@
 name: 'Dependency Review'
 on: [pull_request]
 
-permissions:
-  contents: write
+# Declare default permissions as read only.
+permissions: read-all
 
 concurrency:
   group: dependency-review-${{ github.ref }}

.github/workflows/maven-ci-and-prb.yml

@@ -24,8 +24,8 @@ on:
   pull_request:
     branches: [s3mock-v2, main]
 
-permissions:
-  contents: read
+# Declare default permissions as read only.
+permissions: read-all
 
 concurrency:
   group: ci-${{ github.ref }}
@@ -34,7 +34,8 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0

.github/workflows/maven-release.yml

@@ -19,10 +19,15 @@
 name: Maven Release
 
 on: workflow_dispatch
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0

.github/workflows/sbom.yml

@@ -8,6 +8,9 @@ concurrency:
   group: sbom-${{ github.ref }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest