Hi!

I'm here to suggest that you set minimal permissions to your GitHub Workflows, because currently they don't specify the permissions for their jobs and their privileges are being determined by GitHub's defaults. Defining minimal permissions secures you against erroneous or malicious behaviour from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.

It's a very simple change! I'd basically add

permissions:
    contents: read

at the root of your workflows, and that would set a top-level read-only permission that would be inherited by any job that does not define job-level permissions. It seems that currently none of your workflows require write permissions -- but in case you need them in the future, you'd keep the top-level read-only permissions and add the required write permissions as job-level.

Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.

Let me know what you think about this. If you agree, I'd be happy to contribute with a PR =).

Context

I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊