Add minimal permissions to GitHub workflows

[pnacht]

GitHub workflows run with write-all permissions. This makes repositories vulnerable to supply-chain attacks.

Given num-traits' workflows are mainly for testing, they don't require such broad permissions. I'd therefore like to help the project close this vulnerability.

This can be done in two ways:

1. We can add top-level read-only permissions to all the workflows; and/or
2. You can change the repository settings to change the default permissions from write-all to read-only.

I'll send a PR along with this issue setting the top-level permissions on the workflows.

Or, if you'd rather (or also wish to) change the repository's default settings:

1. Open the repo settings
2. Go to Actions > General
3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

---

Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

[cuviper]

Or, if you'd rather (or also wish to) change the repository's default settings:

I have changed this at the org level, and confirmed that it propagated to all repo settings.

But this is not visible to anyone outside, is it? So how did you know... Are you filing these issues with the assumption that folks have left read/write enabled?

[pnacht]

It isn't transparent to outsiders, no, but it can be sniffed out! Just need to look at the workflow logs, in the "Set up job" step there's a "GITHUB_TOKEN permissions" section which lists all permissions granted to that particular job (example).

Though, if I'm being honest, I could just as easily assume people left things as write-all... exceptions are rare!

[cuviper]

Heh, well that's pretty transparent, just in a hidden place. :)

Is there much value left in changing the individual workflow settings? In #263 it looks like that does have further effect, dropping packages: read, but that permission seems fine even if we did use GitHub packages.

[pnacht]

The value is mainly in redundancy (in case someone gets confused and changes the setting) and config-as-code, which makes it easier for users to see your workflows are secure. So the absolute best practice would be to do both, but just changing the setting already gets you 99% of the way there, so totally understandable if you'd rather skip the explicit permissions.

[pnacht]

Also, some tools (for example, the OpenSSF Scorecard) score projects' supply-chain security posture, and they check this sort of thing. For token permissions, they scan for explicit permissions since hunting through logs is too convoluted.

[pnacht]

Closing this since the repo default was already changed!