[StepSecurity] ci: Harden GitHub Actions (#473)

.github/workflows/codeql.yml

@@ -23,13 +23,18 @@ on:
   schedule:
     - cron: '31 2 * * 5'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     runs-on: windows-latest
     timeout-minutes: 360
     permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
       packages: read
 
     strategy:

.github/workflows/main.yml

@@ -21,6 +21,9 @@ on:
       - build/*.targets
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}

.github/workflows/test.yml

@@ -21,6 +21,9 @@ on:
       - build/*.targets
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}

.github/workflows/vcpkg.yml

@@ -15,6 +15,9 @@ on:
       - LICENSE
       - build/*
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}