[BRE-848] Adding Workflow Permissions (#5985)

.github/workflows/enforce-labels.yml

@@ -4,6 +4,9 @@ on:
   workflow_call:
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]
+
+permissions: {}
+
 jobs:
   enforce-label:
     if: ${{ contains(github.event.*.labels.*.name, 'hold') || contains(github.event.*.labels.*.name, 'needs-qa') || contains(github.event.*.labels.*.name, 'DB-migrations-changed') || contains(github.event.*.labels.*.name, 'ephemeral-environment') }}

.github/workflows/protect-files.yml

@@ -16,6 +16,9 @@ jobs:
   changed-files:
     name: Check for file changes
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
     outputs:
       changes: ${{steps.check-changes.outputs.changes_detected}}
 

.github/workflows/stale-bot.yml

@@ -8,6 +8,11 @@ jobs:
   stale:
     name: Check for stale issues and PRs
     runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - name: Check
         uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0

.github/workflows/test-database.yml

@@ -31,10 +31,17 @@ on:
       - "test/Infrastructure.IntegrationTest/**" # Any changes to the tests
       - "src/**/Entities/**/*.cs" # Database entity definitions
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Run tests
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      actions: read
+      checks: write
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2