fix(GHA): harden permissions (#66155)

.github/workflows/crowdin-download.client-ui.yml

@@ -11,6 +11,9 @@ env:
   CROWDIN_API_URL: 'https://freecodecamp.crowdin.com/api/v2/'
   CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID_CLIENT }}
 
+permissions:
+  contents: read
+
 jobs:
   i18n-download-client-ui-translations:
     name: Client

.github/workflows/crowdin-upload.client-ui.yml

@@ -11,6 +11,9 @@ env:
   CROWDIN_API_URL: 'https://freecodecamp.crowdin.com/api/v2/'
   CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID_ClIENT }}
 
+permissions:
+  contents: read
+
 jobs:
   i18n-upload-client-ui-files:
     name: Client
@@ -19,6 +22,8 @@ jobs:
     steps:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Generate Crowdin Config
         uses: freecodecamp/crowdin-action@36a78cbf92f5a6c05a3a32dc8bf434a19a7c59e2 # main

.github/workflows/crowdin-upload.curriculum.yml

@@ -11,6 +11,9 @@ env:
   CROWDIN_API_URL: 'https://freecodecamp.crowdin.com/api/v2/'
   CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID_CURRICULUM }}
 
+permissions:
+  contents: read
+
 jobs:
   i18n-upload-curriculum-files:
     name: Learn
@@ -19,6 +22,8 @@ jobs:
     steps:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Generate Crowdin Config
         uses: freecodecamp/crowdin-action@36a78cbf92f5a6c05a3a32dc8bf434a19a7c59e2 # main

.github/workflows/e2e-playwright.yml

@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main') && !contains(github.ref, 'prod-') }}
 
+permissions:
+  contents: read
+
 jobs:
   build-client:
     name: Build Client
@@ -27,6 +30,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
+          persist-credentials: false
           submodules: 'recursive'
 
       - name: Use Node.js ${{ matrix.node-version }}
@@ -51,6 +55,7 @@ jobs:
         with:
           repository: freeCodeCamp/client-config
           path: client-config
+          persist-credentials: false
 
       - name: Set freeCodeCamp Environment Variables
         run: |
@@ -84,6 +89,7 @@ jobs:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
+          persist-credentials: false
           submodules: 'recursive'
 
       - name: Create Image
@@ -119,6 +125,8 @@ jobs:
 
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Download Client Artifact
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0

.github/workflows/e2e-third-party.yml

@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main') && !contains(github.ref, 'prod-') }}
 
+permissions:
+  contents: read
+
 jobs:
   build-client:
     name: Build Client
@@ -21,11 +24,13 @@ jobs:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           submodules: 'recursive'
 
       - name: Checkout client-config
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           repository: freeCodeCamp/client-config
           path: client-config
 
@@ -68,6 +73,7 @@ jobs:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           submodules: 'recursive'
 
       - name: Create Image
@@ -101,6 +107,8 @@ jobs:
 
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
 

.github/workflows/node.js-tests.yml

@@ -36,6 +36,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Check number of lockfiles
         run: |
@@ -106,6 +107,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@@ -148,6 +150,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@@ -200,6 +203,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@@ -254,6 +258,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6