[backport] ci: add workflow permissions for security (#912) (#914)

Author: mergify[bot]

.github/workflows/build-pipy-images.yml

@@ -8,6 +8,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   debian:
     name: Build pipy debian images

.github/workflows/e2e.yml

@@ -43,6 +43,10 @@ env:
   CTR_REGISTRY: ${{ vars.CI_CTR_REGISTRY || 'localhost:5000' }}
   CTR_TAG: ${{ github.sha }}
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   e2e-test:
     name: e2e

.github/workflows/ghcr.yml

@@ -22,6 +22,7 @@ on:
       - "scripts/cleanup/**"
       - "CODEOWNERS"
       - "OWNERS"
+
 env:
   CI_WAIT_FOR_OK_SECONDS: 180
   CI_MAX_ITERATIONS_THRESHOLD: 0 #unlimited
@@ -38,6 +39,11 @@ env:
   FSM_DEMO_IMAGE_ARTIFACTS_NAME: ${{ vars.FSM_DEMO_IMAGE_ARTIFACTS_NAME || 'fsm-demo-images' }}
   FSM_CLI_ARTIFACTS_NAME: ${{ vars.FSM_CLI_ARTIFACTS_NAME || 'fsm-cli' }}
 
+permissions:
+  contents: read
+  packages: write
+  actions: read
+
 jobs:
   shellcheck:
     name: Shellcheck

.github/workflows/main.yml

@@ -32,6 +32,10 @@ on:
         type: string
         default: nonroot
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-24.04

.github/workflows/release-image.yml

@@ -4,6 +4,11 @@ on:
     tags:
       - "v*.*.*"
 
+permissions:
+  contents: read
+  packages: write
+  actions: read
+
 jobs:
   version:
     name: Set Version from git ref

.github/workflows/release.yml

@@ -3,6 +3,12 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+  actions: read
+
 jobs:
   run:
     runs-on: ubuntu-24.04