GitHub Workflows security hardening (#1249)

.github/workflows/nodejs.yml

@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   prepare-yarn-cache-ubuntu:
     uses: ./.github/workflows/prepare-cache.yml
@@ -125,6 +128,9 @@ jobs:
               'echo "::error file={}::This needs to be regenerated by running \`tools:regenerate-docs\`" && false'
 
   release:
+    permissions:
+      contents: write # for semantic-release
+
     if:
       # prettier-ignore
       ${{ github.event_name == 'push' && (github.event.ref == 'refs/heads/main' || github.event.ref == 'refs/heads/next') }}

.github/workflows/smoke-test.yml

@@ -5,8 +5,16 @@ on:
     - cron: '0 0 * * SUN'
   workflow_dispatch:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      issues: write # to create comment
+      pull-requests: read # for searching pull requests
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3