This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.
Comment From: bclozel
Thanks, but this is already taken care of. See https://github.com/spring-projects/spring-framework/pull/29104#issuecomment-1240355349
Comment From: sashashura
I respectfully disagree. By setting the default repository setting to Read-Only you potentially breaking the backport-bot step, because it may need the permission to create/close issues. The repo or org level read only setting is good until you actually need write permissions.
Comment From: bclozel
Good catch!