Add base permissions to GitHub Actions workflows

.github/workflows/ci.yml

@@ -7,3 +7,5 @@ jobs:
       package: asyncprawcore
 name: CI
 on: [ pull_request, push ]
+permissions:
+  contents: read

.github/workflows/manual_tag_release.yml

@@ -12,3 +12,5 @@ on:
       commit:
         description: The commit the version bump occurred
         required: true
+permissions:
+  contents: write

.github/workflows/pre-commit_autoupdate.yml

@@ -8,3 +8,6 @@ on:
   schedule:
     - cron: 0 15 * * 1
   workflow_dispatch:
+permissions:
+  contents: read
+  pull-requests: write

.github/workflows/prepare_release.yml

@@ -12,3 +12,6 @@ on:
       version:
         description: The version to prepare for release
         required: true
+permissions:
+  contents: read
+  pull-requests: write

.github/workflows/pypi.yml

@@ -7,3 +7,5 @@ name: Upload Python Package
 on:
   release:
     types: [ published ]
+permissions:
+  contents: read

.github/workflows/scorecards-analysis.yml

@@ -1,12 +1,39 @@
 jobs:
-  scorecards-analysis:
-    name: Scorecards supply-chain security
-    secrets: inherit
-    uses: praw-dev/.github/.github/workflows/scorecards-analysis.yml@main
+  analysis:
+    name: Scorecards analysis
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        with:
+          persist-credentials: false
+      - name: Run analysis
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          publish_results: true
+      - name: Upload artifact
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+        with:
+          sarif_file: results.sarif
 name: Scorecards supply-chain security
 on:
   branch_protection_rule:
   push:
     branches: [ main ]
   schedule:
     - cron: 30 1 * * 6
+permissions: read-all

.github/workflows/tag_release.yml

@@ -7,3 +7,5 @@ name: Tag Release
 on:
   push:
     branches: [ main, release_test ]
+permissions:
+  contents: write