[GitHub][workflows] Add minimum GitHub token permissions

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>

3 files changed, 12 insertions, 0 deletions

diff --git a/.github/workflows/documentation-creation.yml b/.github/workflows/documentation-creation.yml
index ffb41c5286..7daef47402 100644
--- a/.github/workflows/documentation-creation.yml
+++ b/.github/workflows/documentation-creation.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ master, main, Matrix, Leia ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: github.repository == 'xbmc/xbmc'
diff --git a/.github/workflows/gh-action-weblate-upload.yml b/.github/workflows/gh-action-weblate-upload.yml
index 6f7419edcb..05b8e34038 100644
--- a/.github/workflows/gh-action-weblate-upload.yml
+++ b/.github/workflows/gh-action-weblate-upload.yml
@@ -9,6 +9,9 @@ on:
     paths:
       - "addons/resource.language.en_gb/resources/strings.po"
       - ".github/workflows/gh-action-weblate-upload.yml"
+permissions:
+  contents: read
+
 jobs:
   weblate:
     if: github.repository == 'xbmc/xbmc'
diff --git a/.github/workflows/sync-addon-metadata-translations.yml b/.github/workflows/sync-addon-metadata-translations.yml
index a33becfbb9..5807a0209c 100644
--- a/.github/workflows/sync-addon-metadata-translations.yml
+++ b/.github/workflows/sync-addon-metadata-translations.yml
@@ -15,8 +15,14 @@ on:
       - '**screensaver.xbmc.builtin.dim**addon.xml'
       - '**screensaver.xbmc.builtin.dim**resource.language.**strings.po'
 
+permissions:
+  contents: read
+
 jobs:
   default:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     if: github.repository == 'xbmc/xbmc'
     runs-on: ubuntu-latest