Kami
commented
2 years ago Per best practices, we also want to pin all the non-official Github Actions our workflows rely on (e.g. magefile/, etc.) - https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.
Examples - https://github.com/scalyr/scalyr-agent-2/blob/master/.github/workflows/end_to_end_tests.yml#L27
This PR assigns GITHUB_TOKEN used by GHA workflows minimum amount of permissions needed.
Related PR with more context - https://github.com/scalyr/scalyr-agent-2/pull/902.