GitHub actions: move permissions down to the jobs

.github/workflows/auto-assign-pr-to-author.yml

@@ -3,8 +3,7 @@ on:
   pull_request:
     types: [opened]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   add-reviews:

.github/workflows/check-bad-merge.yml

@@ -6,8 +6,12 @@ on:
      - opened
      - synchronize
 
+permissions: {}
+
 jobs:
   check_pr_commits:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/codeql-analysis.yml

@@ -6,12 +6,10 @@ on:
   schedule:
     - cron: '0 5 * * *'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   CodeQL-Build:
-
     permissions:
       actions: read  # for github/codeql-action/init to get workflow details
       contents: read  # for actions/checkout to fetch code

.github/workflows/contributor-pr.yml

@@ -14,19 +14,19 @@ concurrency:
   group: ${{ (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/release' ) && format('contributor-pr-base-{0}', github.sha) || format('contributor-pr-{0}', github.ref) }}
   cancel-in-progress: true
 
-
 env:
   # Set the DEVELOCITY_ACCESS_KEY so that Gradle Build Scans are generated
   DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
   # Enable debug for the `gradle-build-action` cache operations
   GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   build:
     name: "Compile All"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: git clone
@@ -62,6 +62,8 @@ jobs:
 
   sanity-check:
     name: "Sanity Check on Linux"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: build
     steps:
@@ -84,6 +86,8 @@ jobs:
 
   unit-test:
     name: "${{ matrix.bucket.name }} (Unit Test)"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: build
     strategy:

.github/workflows/feedback.yml

@@ -5,12 +5,14 @@ on:
     - cron: '0 * * * *' # every hour
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   feedback:
-    runs-on: ubuntu-latest
     permissions:
       issues: write
       pull-requests: write
+    runs-on: ubuntu-latest
     steps:
       # Feedback loop: ask for something on PR/Issue and close if not provided or return to the queue on update.
       # https://github.com/gradle/issue-management-action/blob/main/src/feedback.ts

.github/workflows/issue-metadata.yml

@@ -4,11 +4,13 @@ on:
   issues:
     types: [ opened, unlabeled, closed ]
 
+permissions: {}
+
 jobs:
   check_issue_metadata:
-    runs-on: ubuntu-latest
     permissions:
       issues: write
+    runs-on: ubuntu-latest
     steps:
       # Check that issues have proper metadata: labels and milestone
       # https://github.com/gradle/issue-management-action/blob/main/src/issue-metadata.ts

.github/workflows/notify-on-rc-for-manual-test.yml

@@ -5,6 +5,8 @@ on:
     tags:
       - 'v*.*.*-RC1'
 
+permissions: {}
+
 jobs:
   send-slack-notification:
     runs-on: ubuntu-latest

.github/workflows/pull-metadata.yml

@@ -4,12 +4,14 @@ on:
   pull_request_target:
     types: [ closed ]
 
+permissions: {}
+
 jobs:
   check_pull_metadata:
-    runs-on: ubuntu-latest
     permissions:
       issues: write
       pull-requests: write
+    runs-on: ubuntu-latest
     steps:
       # Check that PRs have proper metadata: labels and milestone
       # https://github.com/gradle/issue-management-action/blob/main/src/pull-metadata.ts

.github/workflows/slack-notifier.yml

@@ -5,6 +5,8 @@ on:
     types:
       - labeled
 
+permissions: {}
+
 jobs:
   send-slack-notification:
     if: ${{ github.event.label.name == 'in:ide' || github.event.label.name == 'in:eclipse-plugin' || github.event.label.name == 'in:idea-plugin' || github.event.label.name == 'in:tooling-api' }}

.github/workflows/stale-pr.yml

@@ -4,11 +4,13 @@ on:
     # Execute every hour at xx:05 to avoid conflicts with other workflows
     - cron: '5 * * * *'
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   stale:
+    permissions:
+      pull-requests: write
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v9

.github/workflows/submit-github-dependency-graph.yml

@@ -5,11 +5,12 @@ on:
     branches:
       - master
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   generate-and-submit:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4

.github/workflows/team-triage-stale.yml

@@ -4,12 +4,13 @@ on:
     # Execute every day at 00:05 to avoid conflicts with other workflows
     - cron: '5 0 * * *'
 
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   requeue:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v9