[Security] Token permissions no. 2

.github/workflows/PR-Demo-cleanup.yml

@@ -4,9 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 env:
   SERVER_IP: ${{ secrets.VPS_IP }}  # Add this to your GitHub secrets
@@ -15,6 +13,9 @@ env:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.event.action == 'closed'
 
     steps:

.github/workflows/auto-labeler.yml

@@ -3,13 +3,13 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
-permissions:
-  contents: read
-  pull-requests: write
+permissions: read-all
 
 jobs:
   labeler:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2

.github/workflows/licenses-update.yml

@@ -7,14 +7,14 @@ on:
     paths:
       - "build.gradle"
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   generate-license-report:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2

.github/workflows/manage-label.yml

@@ -4,14 +4,14 @@ on:
   schedule:
     - cron: "30 20 * * *"
 
-permissions:
-  contents: read
-  issues: write
+permissions: read-all
 
 jobs:
   labeler:
     name: Labeler
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2

.github/workflows/multiOSReleases.yml

@@ -4,9 +4,9 @@ on:
   workflow_dispatch:
   release:
     types: [created]
-permissions:
-  contents: write
-  packages: write
+
+permissions: read-all
+
 jobs:
   build-installers:
     strategy:
@@ -22,6 +22,9 @@ jobs:
          #  platform: linux
          #  ext: deb
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: write
+      packages: write
 
     steps:
       - name: Harden Runner

.github/workflows/push-docker.yml

@@ -7,13 +7,13 @@ on:
       - master
       - main
 
-permissions:
-  contents: read
-  packages: write
+permissions: read-all
 
 jobs:
   push:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2

.github/workflows/releaseArtifacts.yml

@@ -4,12 +4,15 @@ on:
   workflow_dispatch:
   release:
     types: [created]
-permissions:
-  contents: write
-  packages: write
+
+permissions: read-all
+
 jobs:
   push:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
     strategy:
       matrix:
         enable_security: [true, false]

.github/workflows/stale.yml

@@ -5,8 +5,7 @@ on:
     - cron: "30 0 * * *"
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   stale:

.github/workflows/swagger.yml

@@ -6,6 +6,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   push:
     runs-on: ubuntu-latest

.github/workflows/sync_files.yml

@@ -9,13 +9,14 @@ on:
       - "src/main/resources/messages_*.properties"
       - "scripts/ignore_translation.toml"
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   sync-readme:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2