fix: address security risks in GitHub Actions workflows (#1651)

* Remove cache consumption in release workflow.

* Tighten style-check.yml permissions

* Tighten permissions in test workflow that consumes cache.

* Use stricter permissions where possible

---------

Co-authored-by: Justin Halsall <[email protected]>

Author: AdnaneKhan

.github/workflows/ci-cd.yml

@@ -7,6 +7,8 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   release:
     name: Tests
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repo

.github/workflows/release.yml

@@ -19,7 +19,6 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: lts/*
-          cache: 'yarn'
 
       - name: Install Dependencies
         run: yarn install --frozen-lockfile

.github/workflows/style-check.yml

@@ -5,6 +5,8 @@ on: [push, pull_request_target]
 jobs:
   eslint_check_upload:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     name: ESLint Check and Report Upload
 
     steps:
@@ -36,6 +38,8 @@ jobs:
   annotation:
     # Skip the annotation action in push events
     if: github.event_name == 'pull_request_target'
+    permissions:
+      checks: write
     needs: eslint_check_upload
     runs-on: ubuntu-latest
     name: ESLint Annotation
@@ -52,6 +56,8 @@ jobs:
   prettier_check:
     # In the forked PR, it's hard to format code and push to the branch directly, so the action only check the format correctness.
     if: github.event_name != 'push' && github.event.pull_request.head.repo.full_name != 'rrweb-io/rrweb'
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     name: Format Check
     steps:
@@ -73,6 +79,8 @@ jobs:
     # Skip the format code action in forked PRs
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'rrweb-io/rrweb'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     name: Format Code
     steps:
       - uses: actions/checkout@v3