Reduce the scope of the GITHUB_TOKEN by default

[mpkorstanje]

@sashashura has been submitting a number of PRs to the Cucumber org that reduce the access to the Github token for specific actions. This block-list approach is unfortunately scatter gun and doesn't scale well, it is also insecure by default.

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted. It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case. Originally posted by @sashashura in https://github.com/cucumber/cucumber-jvm/pull/2618#issue-1379533139

This doesn't look like the correct solution you are highlighting. Looking at How the permissions are calculated for a workflow job it appears we can limit the scope of the GITHUB_TOKEN for the organization by default and then only increase it for the specific workflow that need it.

The permissions for the GITHUB_TOKEN are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request from a forked repository, and the Send write tokens to workflows from pull requests setting is not selected, the permissions are adjusted to change any write permissions to read only.

Originally posted by @mpkorstanje in https://github.com/cucumber/cucumber-jvm/issues/2618#issuecomment-1335242726

By reducing the scope across the organization we only have to increase it for the cucumber/action-create-github-release. All other actions do (as far as I know) require elevated permissions.

[mpkorstanje]

We can also limit the actions allowed in the organisation in a few different ways

• Only allow actions, cucumber org actions.
• Only allow actions, cucumber org actions and actions from verified publishers.

We currently have these non-cucumber non-github provided actions, I can't tell which ones are verified publishers:

mpkorstanje@nyx:~/Projects/cucumber/code-search$ grep -r uses: | grep ".github"  | cut -d ":" -f 3 | sort | uniq | grep -v cucumber | grep -v actions
 8398a7/action-slack@v3
 arduino/setup-protoc@v1
 aurelien-baudet/workflow-dispatch@v2
 codecov/codecov-action@v1
 codecov/codecov-action@v3
 coverallsapp/github-action@master
 dart-lang/setup-dart@v1.3
 docker/bake-action@v2
 docker/build-push-action@v3
 docker/login-action@v2
 docker/setup-buildx-action@v2
 docker/setup-qemu-action@v2
 erlef/setup-beam@v1
 GabrielBB/xvfb-action@v1
 golangci/golangci-lint-action@v3.2.0
 goreleaser/goreleaser-action@v2
 goreleaser/goreleaser-action@v3.1.0
 HaaLeo/publish-vscode-extension@v1
 marocchino/sticky-pull-request-comment@v2
 mymindstorm/setup-emsdk@v11
 ocaml/setup-ocaml@v2
 pulumi/setup-pulumi@v2
 reactivecircus/android-emulator-runner@v2
 ruby/setup-ruby@v1
 shivammathur/setup-php@v2
 snok/install-poetry@v1
 softprops/action-gh-release@v1

[mpkorstanje]

Projects that use the cucumber/action-create-github-release that would definitely need elevated permissions.

mpkorstanje@nyx:~/Projects/cucumber/code-search$ grep -rl cucumber/action-create-github-release | cut -d '/' -f 1
cucumber-expressions
blockly
cucumber-parent
action-get-versions
gherkin
message-streams
action-publish-rubygem
action-publish-sbt
action-publish-nuget
action-publish-hex
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
gherkin-streams
cucumber-jvm-scala
action-publish-npm
multi_test
html-formatter
compatibility-kit
action-create-release-pr
cucumber-js-pretty-formatter
ci-environment
cucumber-js
react-components
language-server
action-publish-subrepo
screenplay.js
build
cucumber-ruby
language-service
cucumber-ruby-wire
cucumber-json-converter
monaco
cucumber-android
messages
action-publish-mvn
gherkin-utils
action-publish-pypi
microdata
split-java
tag-expressions
query
action-publish-cpan
cucumber-ruby-core
cucumber-rails
release-tests
cucumber-jvm