chore: add monitoring to github actions (#15436)

* chore: add monitoring to github actions

* try this

Author: Rich-Harris

.github/workflows/ci.yml

@@ -12,6 +12,7 @@ env:
 
 jobs:
   Tests:
+    permissions: {}
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15
     strategy:
@@ -41,6 +42,7 @@ jobs:
         env:
           CI: true
   Lint:
+    permissions: {}
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
@@ -61,6 +63,7 @@ jobs:
         if: (${{ success() }} || ${{ failure() }}) # ensures this step runs even if previous steps fail
         run: pnpm build && { [ "`git status --porcelain=v1`" == "" ] || (echo "Generated types have changed — please regenerate types locally with `cd packages/svelte && pnpm generate:types` and commit the changes after you have reviewed them"; git diff; exit 1); }
   Benchmarks:
+    permissions: {}
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:

.github/workflows/ecosystem-ci-trigger.yml

@@ -9,6 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'sveltejs/svelte' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/github-script@v6
         with:
           script: |

.github/workflows/pkg.pr.new-comment.yml

@@ -11,6 +11,7 @@ jobs:
     name: 'Update comment'
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Download artifact
         uses: actions/download-artifact@v4
         with:

.github/workflows/pkg.pr.new.yml

@@ -3,6 +3,8 @@ on: [push, pull_request]
 
 jobs:
   build:
+    permissions: {}
+
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/release.yml

@@ -17,6 +17,7 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Checkout Repo
         uses: actions/checkout@v4
         with: