GitHub Workflows security hardening (#10843)

* build: harden codespell.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden generated_cmake.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden objc_cocoapods.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden php-ext.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden update_php_repo.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

.github/workflows/codespell.yml

@@ -3,6 +3,8 @@
 # https://github.com/codespell-project/codespell
 name: codespell
 on: [push, pull_request]
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
 jobs:
   codespell:
     name: Check for spelling errors

.github/workflows/generate_files.yml

@@ -9,8 +9,12 @@ on:
       # to exclude it.
       - '!21.x'
 
+permissions: {}
 jobs:
   cmake:
+    permissions:
+      contents: write  #  for git push
+
     if: github.repository == 'protocolbuffers/protobuf'
     runs-on: ubuntu-latest
 

.github/workflows/objc_cocoapods.yml

@@ -18,6 +18,9 @@ on:
     - '!objectivec/ProtocolBuffers_*.xcodeproj/**'
     - '!objectivec/Tests/**'
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   pod-lib-lint:
     runs-on: macos-latest

.github/workflows/php-ext.yml

@@ -4,6 +4,9 @@ on:
   - push
   - pull_request
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build-php:
     name: Build PHP extension

.github/workflows/update_php_repo.yml

@@ -6,6 +6,9 @@ on:
       - v[0-9]+.[0-9]+
       - v[0-9]+.[0-9]+-rc[0-9]+
 
+permissions:
+  contents: read  #  to fetch code in 'Clone protobuf' (actions/checkout)
+
 jobs:
   update-repo:
     name: Update PHP Repo