GitHub Workflows security hardening (#3519)

* build: harden tutorials.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden contrib.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden tests.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Author: sashashura

.github/workflows/contrib.yml

@@ -22,6 +22,9 @@ concurrency:
   group: contrib-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   stable:
     # Check each OS, all supported Python, minimum versions and latest releases

.github/workflows/tests.yml

@@ -29,8 +29,12 @@ concurrency:
   group: tests-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
 jobs:
   build:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -80,6 +84,9 @@ jobs:
 
   stable:
     # Check each OS, all supported Python, minimum versions and latest releases
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:

.github/workflows/tutorials.yml

@@ -9,6 +9,7 @@ concurrency:
   group: tutorials-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
 jobs:
   tutorial:
     runs-on: ubuntu-latest