Set only necessary permissions for all workflows

* This will override the default permissions which would allow read-write permissions

Author: bogsi17

.github/workflows/build-and-push-image.yml

@@ -14,6 +14,8 @@ concurrency:
 env:
   PUSH_IMAGE_TO_PRODUCTION: ${{ github.ref_name == 'main' }}
 
+permissions: {}
+
 jobs:
   check-image-presence:
     name: Check if images already exist

.github/workflows/continuous-deployment.yml

@@ -5,6 +5,8 @@ on:
   push:
     branches: [main]
 
+permissions: {}
+
 jobs:
   test:
     uses: ./.github/workflows/test.yml

.github/workflows/deploy-application.yml

@@ -38,6 +38,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 concurrency:
   group: deploy-application-${{ inputs.environment }}
 

.github/workflows/deploy-infrastructure.yml

@@ -30,6 +30,8 @@ on:
         required: false
         type: string
 
+permissions: {}
+
 concurrency:
   group: deploy-infrastructure-${{ inputs.environment }}
 

.github/workflows/deploy.yml

@@ -4,6 +4,8 @@ run-name: Deploy ${{ inputs.git_ref_to_deploy || github.ref_name }} to ${{ input
 concurrency:
   group: deploy-${{ inputs.environment }}
 
+permissions: {}
+
 on:
   workflow_call:
     inputs:

.github/workflows/destroy-infrastructure.yml

@@ -19,6 +19,8 @@ on:
 env:
   aws_role: arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure
 
+permissions: {}
+
 jobs:
   destroy-resources:
     name: Destroy resources

.github/workflows/lint.yml

@@ -3,6 +3,8 @@ name: Lint
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   prettier:
     name: Prettier

.github/workflows/test.yml

@@ -4,6 +4,8 @@ on:
   pull_request:
   workflow_call:
 
+permissions: {}
+
 jobs:
   rails:
     name: Rails