Prerequisites

• I have searched for duplicate or closed feature requests
• I have read the contributing guidelines

Proposal

Hi!

I'm here to suggest that you set minimal permissions to your workflow calibreapp-image-actions.yml, because currently it doesn't specify the permissions for its jobs and their privileges are being determined by GitHub's defaults. I noticed that all of your other workflows already have the permissions defined, and the change I propose is would be very similar.

IIUC, the job called on calibreapp-image-actions.yml requires a pull-requests: write permission, so I'd give this permission job-level, and grant a read-only permission as top-level.

If you have a reason not to define the permissions on that specific workflow, let me know! Otherwise, if you agree with this change I'm available to contribute with a PR to add them and close this issue.

Motivation and context

Defining minimal permissions secures you against erroneous or malicious behaviour from external jobs you call from your workflow. It's specially important for the case they get compromised, for example. Adicionally, it's a recommendation from GitHub itself and also from other security tools, such as Scorecards and StepSecurity.

Additional Context

I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊