ci: explicit permissions on actions

Author: doublethink

.github/workflows/cli.yaml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
 

.github/workflows/manual-release-brew-and-scoop.yaml

@@ -7,6 +7,9 @@ on:
         description: "Tag to release (e.g. v1.2.3)"
         required: true
 
+permissions:
+  contents: write
+
 jobs:
   call-release-homebrew-tap:
     uses: ./.github/workflows/release-homebrew-tap.yaml

.github/workflows/pgTAP.yaml

@@ -3,6 +3,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/pre-commit_hooks.yaml

@@ -2,6 +2,9 @@ name: pre-commit hooks
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/prettier.yaml

@@ -5,6 +5,9 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
 jobs:
   check-prettier:
     runs-on: ubuntu-latest

.github/workflows/release-cli.yaml

@@ -5,6 +5,9 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: write
+
 jobs:
   create-release:
     name: Create Release
@@ -73,25 +76,25 @@ jobs:
           cd ../..
 
           # Build debian package
-          package_dir=dbdev-${{ github.ref_name }}-linux-${{ matrix.box.arch }}
-          mkdir -p ${package_dir}/usr/local/bin
-          cp ./target/release/dbdev ${package_dir}/usr/local/bin/dbdev
+          package_dir="dbdev-${{ github.ref_name }}-linux-${{ matrix.box.arch }}"
+          mkdir -p "${package_dir}/usr/local/bin"
+          cp ./target/release/dbdev "${package_dir}/usr/local/bin/dbdev"
 
-          extension_version=${{ github.ref_name }}
+          extension_version="${{ github.ref_name }}"
           # strip the leading v
-          deb_version=${extension_version:1}
+          deb_version="${extension_version:1}"
 
-          mkdir -p ${package_dir}/DEBIAN
-          touch ${package_dir}/DEBIAN/control
+          mkdir -p "${package_dir}/DEBIAN"
+          touch "${package_dir}/DEBIAN/control"
           echo 'Package: dbdev' >> ${package_dir}/DEBIAN/control
           echo 'Version:' ${deb_version} >> ${package_dir}/DEBIAN/control
           echo 'Architecture: ${{ matrix.box.arch }}' >> ${package_dir}/DEBIAN/control
           echo 'Maintainer: supabase' >> ${package_dir}/DEBIAN/control
           echo 'Description: CLI for publishing to database.dev' >> ${package_dir}/DEBIAN/control
 
           # Create deb package
-          sudo chmod -R 00755 ${package_dir}
-          sudo dpkg-deb --build ${package_dir}
+          sudo chmod -R 00755 "${package_dir}"
+          sudo dpkg-deb --build "${package_dir}"
 
       - name: Upload gzip Package
         uses: actions/upload-release-asset@v1

.github/workflows/release-homebrew-tap.yaml

@@ -10,6 +10,9 @@ on:
       homebrew_tap_rw:
         required: true
 
+permissions:
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -46,9 +49,9 @@ jobs:
         linux_arm64_hash=`shasum -a 256 dbdev-${{ inputs.tag }}-linux-arm64.tar.gz | cut -d" " -f1`
         macos_amd64_hash=`shasum -a 256 dbdev-${{ inputs.tag }}-macos-amd64.tar.gz | cut -d" " -f1`
 
-        tag=${{ inputs.tag }}
+        tag="${{ inputs.tag }}"
         # strip the leading v
-        version=${tag:1}
+        version="${tag:1}"
 
         # update dbdev.rb file
         echo '# typed: false' > dbdev.rb

.github/workflows/release-scoop-bucket.yaml

@@ -10,6 +10,9 @@ on:
       scoop_bucket_rw:
         required: true
 
+permissions:
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -31,9 +34,9 @@ jobs:
       run: |
         windows_amd64_hash=`shasum -a 256 dbdev-${{ inputs.tag }}-windows-amd64.zip | cut -d" " -f1`
 
-        tag=${{ inputs.tag }}
+        tag="${{ inputs.tag }}"
         # strip the leading v
-        version=${tag:1}
+        version="${tag:1}"
 
         # update dbdev.json file
         echo '{' > dbdev.json