[github action] Follow the principle of least privileges

[Pierre-Sassoulas]

Type of Changes

	Type
✓	🐛 Bug fix

Description

This set the least amount of privilege for each github actions when it wasn't already set.

Full disclosure, I'm being paid to make pylint more secure by Tidelift and this is part of this effort.

[coveralls]

Pull Request Test Coverage Report for Build 3323819181

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 95.359%

---

Totals
Change from base Build 3323803614:	0.0%
Covered Lines:	17178
Relevant Lines:	18014

---

💛 - Coveralls

[Pierre-Sassoulas]

@cdce8p Let's use this MR to check that #7674 #7671 worked correctly.

[github-actions]

🤖 Effect of this PR on checked open source code: 🤖

Effect on pytest:
The following messages are now emitted:

Details

1. inconsistent-return-statements:
   Either all return statements in a function should return an expression, or none of them should.
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/pytester.py#L301
2. no-name-in-module:
   No name 'NOSE_SUPPORT_METHOD' in module '_pytest.deprecated'
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/python.py#L62
3. no-name-in-module:
   No name 'PytestReturnNotNoneWarning' in module '_pytest.warning_types'
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/python.py#L81
4. inconsistent-return-statements:
   Either all return statements in a function should return an expression, or none of them should.
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/python.py#L1085
5. inconsistent-return-statements:
   Either all return statements in a function should return an expression, or none of them should.
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/fixtures.py#L130
6. inconsistent-return-statements:
   Either all return statements in a function should return an expression, or none of them should.
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/python_api.py#L798
7. no-name-in-module:
   No name 'NOSE_SUPPORT' in module '_pytest.deprecated'
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/nose.py#L5
8. no-name-in-module:
   No name 'warn_explicit_for' in module '_pytest.warning_types'
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/config/__init__.py#L62
9. no-member:
   Module '_pytest.deprecated' has no 'HOOK_LEGACY_MARKING' member
   https://github.com/pytest-dev/pytest/blob/bbe7cbae4aa24f4cb65230704b870c5dcf40781e/src/_pytest/config/__init__.py#L369

This comment was generated for commit 6b89f53

[cdce8p]

Looks good, but I don't think it's necessary anymore.

The same can be archived by modifying the Action permissions -> Workflow permissions in the repo settings. I just toggled Read repository contents permission, so contents: read is the default for all workflows.

--
FYI I also modified a few other Action permissions settings to increase security.

• Disabled Allow Github Actions to create and approve pull requests
• Only allow specific / predefined actions and reusable workflows.