[build] add explicit permissions to github workflows

[titusfortner]

User description

Security checkers have been complaining when I update a workflow that doesn't have restrictive permissions, so I've added them to everything. I think these are right.

---

PR Type

Enhancement

---

Description

• Add explicit read permissions to all GitHub workflows

• Add write permissions where workflows need to modify repository content

• Improve security posture by following least privilege principle

• Prevent security checker warnings on workflow updates

---

Diagram Walkthrough

flowchart LR
  A["GitHub Workflows"] -->|"Add permissions block"| B["Read-only workflows"]
  A -->|"Add job-level permissions"| C["Write-enabled workflows"]
  B -->|"contents: read"| D["Secure by default"]
  C -->|"contents: write"| E["Selective write access"]

Loading

File Walkthrough

Relevant files

Configuration changes

16 files ci-dotnet.yml Add read-only permissions to dotnet CI workflow                    +3/-0      ci-grid-ui.yml Add read-only permissions to grid UI CI workflow                  +3/-0      ci-java.yml Add read-only permissions to Java CI workflow                        +3/-0      ci-python.yml Add read-only permissions to Python CI workflow                    +3/-0      ci-rbe.yml Add read-only permissions to RBE CI workflow                          +3/-0      ci-renovate-rbe.yml Add permissions with write access for dependency pinning  +5/-0      ci-ruby.yml Add read-only permissions to Ruby CI workflow                        +3/-0      ci-rust.yml Add read-only permissions to Rust CI workflow                        +3/-0      ci.yml Add read-only permissions to main CI workflow                        +3/-0      issue-labeler.yml Add read-only workflow permissions with job-level write    +3/-0      mirror-selenium-releases.yml Add read-only permissions to release mirror workflow          +3/-0      nightly.yml Add permissions with selective write for release creation +5/-0      pin-browsers.yml Add read-only permissions to browser pinning workflow        +3/-0      pre-release.yml Add read-only permissions to pre-release workflow                +3/-0      stage-release.yml Add read-only permissions to release staging workflow        +3/-0      update-docs-after-action.yml Add read-only permissions to documentation update workflow +3/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Grant write permission for issues In .github/workflows/issue-labeler.yml, add issues: write permission to allow the workflow to label newly opened issues. .github/workflows/issue-labeler.yml [6-7] permissions: contents: read + issues: write Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies that the issue-labeler.yml workflow requires issues: write permission to function, which the PR's changes would implicitly revoke, thus breaking the workflow.	High
	Grant write permission for release In .github/workflows/stage-release.yml, grant contents: write permission to the github-release job to allow it to create GitHub releases. .github/workflows/stage-release.yml [12-16] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} permissions: contents: read +jobs: + github-release: + permissions: + contents: write + if: > + Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly points out that the stage-release.yml workflow needs contents: write permission to create releases, and the PR's change would break this functionality. The proposed fix correctly applies the permission at the job level, following the principle of least privilege.	High
	Grant write access for commits In .github/workflows/pin-browsers.yml, change the contents permission from read to write to allow the workflow to commit and push updated browser pins. .github/workflows/pin-browsers.yml [7-8] permissions: - contents: read + contents: write Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies that the pin-browsers.yml workflow needs contents: write permission to commit and push updates, a functionality that would be broken by the PR's changes.	High
	Enable pushing docs updates In .github/workflows/update-docs-after-action.yml, change the contents permission from read to write to allow the workflow to push version updates. .github/workflows/update-docs-after-action.yml [11-12] permissions: - contents: read + contents: write Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies that the update-docs-after-action.yml workflow requires contents: write permission to push updates, which would be broken by the PR's changes.	High
Update

[cgoldberg]

LGTM as long as it works.

What are you using for security scanning? I ran our workflows through this a while back and it found a lot of issues: https://github.com/zizmorcore/zizmor

[titusfortner]

@cgoldberg this was just qodo complaining in the PRs I was making that changed things in the workflow