[core] Harden GitHub Actions permissions (#34769)

.github/workflows/check-if-pr-has-label.yml

@@ -8,6 +8,8 @@ jobs:
   test-label-applied:
     # Tests that label is added on the PR
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: mnajdova/[email protected]
         with:

.github/workflows/maintenance.yml

@@ -1,4 +1,5 @@
-name: 'Maintenance'
+name: Maintenance
+
 on:
   # So that PRs touching the same files as the push are updated
   push:
@@ -20,6 +21,9 @@ jobs:
     # We rely on other pushes to mark these branches as outdated.
     if: ${{ github.actor != 'l10nbot' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - run: echo "${{ github.actor }}"
       - name: check if prs are dirty

.github/workflows/issue-mark-duplicate.yml → .github/workflows/mark-duplicate.yml

@@ -1,4 +1,4 @@
-name: Issue Mark Duplicate
+name: Mark duplicate
 
 on:
   issue_comment:
@@ -7,6 +7,10 @@ on:
 jobs:
   mark-duplicate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - name: mark-duplicate
         uses: actions-cool/issues-helper@v3

.github/workflows/no-response.yml

@@ -12,6 +12,9 @@ on:
 jobs:
   noResponse:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: lee-dohm/[email protected]
         with:

.github/workflows/support-stackoverflow.yml

@@ -1,16 +1,16 @@
 # Configuration for support-requests - https://github.com/dessant/support-requests
-name: 'Support Stack Overflow'
+name: Support Stack Overflow
 
 on:
   issues:
     types: [labeled, unlabeled, reopened]
 
-permissions:
-  issues: write
-
 jobs:
   mark-support:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - uses: dessant/support-requests@v2
         with: