Adjusted workflow permissions

Signed-off-by: Eddie Knight <knight@linux.com>

.github/workflows/bootstrap.yaml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   github:
     runs-on: ubuntu-latest

.github/workflows/e2e-arm64.yaml

@@ -5,6 +5,9 @@ on:
   push:
     branches: [ main, update-components ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     # Hosted on Equinix

.github/workflows/e2e-azure.yaml

@@ -7,6 +7,9 @@ on:
   push:
     branches: [ azure* ]
 
+permissions:
+  contents: read
+
 jobs:
   e2e:
     runs-on: ubuntu-22.04

.github/workflows/e2e.yaml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main, oci ]
 
+permissions:
+  contents: read
+
 jobs:
   kind:
     runs-on: ubuntu-latest

.github/workflows/release-manifests.yml

@@ -5,10 +5,12 @@ on:
   workflow_dispatch:
 
 permissions:
-  id-token: write # needed for keyless signing
+  contents: read
-  packages: write # needed for ghcr access
 
 jobs:
+  permissions:
+    id-token: write # needed for keyless signing
+    packages: write # needed for ghcr access
   build-push:
     runs-on: ubuntu-latest
     steps:

.github/workflows/release.yaml

@@ -11,6 +11,10 @@ permissions:
 
 jobs:
   goreleaser:
+    permissions: # TODO: Segment these jobs to minimize which actions are recieving escalated perms
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/scan.yaml

@@ -10,7 +10,6 @@ on:
 
 permissions:
   contents: read # for actions/checkout to fetch code
-  security-events: write # for codeQL to write security events
 
 jobs:
   fossa:
@@ -50,6 +49,8 @@ jobs:
           sarif_file: snyk.sarif
 
   codeql:
+    permissions:
+      security-events: write # for codeQL to write security events
     name: CodeQL
     runs-on: ubuntu-latest
     if: github.actor != 'dependabot[bot]'

.github/workflows/update.yaml

@@ -7,6 +7,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   update-components:
     runs-on: ubuntu-latest