Merge pull request #12063 from Homebrew/workflow-permissions

workflows: reduce GITHUB_TOKEN permissions

.github/workflows/docker.yml

@@ -9,6 +9,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   ubuntu:
     if: startsWith(github.repository, 'Homebrew/')

.github/workflows/doctor.yml

@@ -8,6 +8,8 @@ on:
       - Library/Homebrew/extend/os/diagnostic.rb
       - Library/Homebrew/extend/os/mac/diagnostic.rb
       - Library/Homebrew/os/mac/xcode.rb
+permissions:
+  contents: read
 env:
   HOMEBREW_DEVELOPER: 1
   HOMEBREW_NO_AUTO_UPDATE: 1

.github/workflows/sorbet.yml

@@ -10,6 +10,9 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tapioca:
     if: github.repository == 'Homebrew/brew'

.github/workflows/spdx.yml

@@ -7,6 +7,8 @@ on:
       - master
   schedule:
     - cron: "0 0 * * *"
+permissions:
+  contents: read
 jobs:
   spdx:
     if: github.repository == 'Homebrew/brew'

.github/workflows/tests.yml

@@ -6,6 +6,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   HOMEBREW_DEVELOPER: 1
   HOMEBREW_NO_AUTO_UPDATE: 1

.github/workflows/triage.yml

@@ -12,6 +12,8 @@ on:
   schedule:
     - cron: "0 */3 * * *" # every 3 hours
 
+permissions:
+
 concurrency: triage-${{ github.ref }}
 
 jobs:

.github/workflows/update-man-completions.yml

@@ -18,6 +18,9 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-manpage:
     runs-on: ubuntu-latest

.github/workflows/vendor-gems.yml

@@ -8,6 +8,10 @@ on:
         description: Pull request number
         required: true
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   vendor-gems:
     if: >