Merge pull request #2843 from lukaszstolarczuk/fix-permissions-workflows

[CI] Set top-level permissions to least required in all workflows

Author: lukaszstolarczuk

.github/workflows/docs.yml

@@ -9,11 +9,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 # Allow one concurrent deployment
 concurrency:
@@ -76,6 +73,12 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ${{ github.repository_owner == 'oneapi-src' && 'intel-ubuntu-22.04' || 'ubuntu-latest' }}
     needs: build
+
+    # Sets permissions to allow deployment to GitHub Pages
+    permissions:
+      pages: write
+      id-token: write
+
     steps:
       - name: Deploy to GitHub Pages
         id: deployment

.github/workflows/pr-migration-auto-close.yml

@@ -7,12 +7,15 @@ on:
   workflow_dispatch:
 
 permissions:
-  pull-requests: write
-  issues: write
+  contents: read
 
 jobs:
   close-stale-prs:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      issues: write
+
     steps:
       - name: Close PRs labeled "auto-close"
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

.github/workflows/pr-migration-warn.yml

@@ -7,12 +7,15 @@ on:
   workflow_dispatch:
 
 permissions:
-  pull-requests: write
-  issues: write
+  contents: read
 
 jobs:
   label-and-comment:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      issues: write
+
     steps:
       - name: Label and comment on open PRs
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0