Merge pull request #938 from pnacht/token-permissions

Set minimal permissions for GitHub workflows

.github/workflows/cifuzz.yml

@@ -1,5 +1,9 @@
 name: CIFuzz
 on: [pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest

.github/workflows/cmake.yml

@@ -8,6 +8,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -19,6 +22,9 @@ jobs:
             arch: x86
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: write # svenstaro/upload-release-action 
+
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1

.github/workflows/cross_build.yml

@@ -8,6 +8,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/wheel.yml

@@ -8,6 +8,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build_wheels:
     outputs:
@@ -20,6 +23,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     name: Build wheels on ${{ matrix.os }}
 
+    permissions:
+      contents: write # svenstaro/upload-release-action 
+
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
@@ -53,7 +59,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install setuptools wheel twine
-          python -m pip install cibuildwheel==2.12.0
+          python -m pip install cibuildwheel==2.16.2
 
       - name: Build wheels
         working-directory: ${{github.workspace}}/python