First attempt at fixing zizmor warnings (#2338)

Zizmor now supports auditing token permissions for each workflow run and
reports that we almost never remove the default permissions (which seem
relatively permissive). As a precaution it does not hurt to revoke all
token permissions by default and see what breaks on the way.

.github/workflows/build_docker_images.yml

@@ -10,6 +10,8 @@ concurrency:
   group: docker-image-builds
   cancel-in-progress: false
 
+permissions: {}
+
 env:
   CI_SLACK_CHANNEL: ${{ secrets.CI_DOCKER_CHANNEL }}
 

.github/workflows/build_documentation.yml

@@ -7,6 +7,8 @@ on:
       - doc-builder*
       - v*-release
 
+permissions: {}
+
 jobs:
    build:
     uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@main

.github/workflows/build_pr_documentation.yml

@@ -7,6 +7,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   build:
     uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@main

.github/workflows/integrations_tests.yml

@@ -7,6 +7,8 @@ on:
         description: 'Branch to test on'
         required: true
 
+permissions: {}
+
 jobs:
   run_transformers_integration_tests:
     strategy:

.github/workflows/nightly-bnb.yml

@@ -12,6 +12,7 @@ env:
   NVIDIA_DISABLE_REQUIRE: "1"
   SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }}
 
+permissions: {}
 
 jobs:
   run_all_tests_single_gpu:

.github/workflows/nightly.yml

@@ -12,6 +12,7 @@ env:
   NVIDIA_DISABLE_REQUIRE: "1"
   SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }}
 
+permissions: {}
 
 jobs:
   run_all_tests_single_gpu:

.github/workflows/stale.yml

@@ -4,6 +4,8 @@ on:
   schedule:
     - cron: "0 15 * * *"
 
+permissions: {}
+
 jobs:
   close_stale_issues:
     name: Close Stale Issues

.github/workflows/test-docker-build.yml

@@ -5,6 +5,9 @@ on:
     paths:
       # Run only when DockerFile files are modified
       - "docker/*/Dockerfile"
+
+permissions: {}
+
 jobs:
   get_changed_files:
     name: "Build all modified docker images"

.github/workflows/tests-main.yml

@@ -6,6 +6,8 @@ on:
     paths-ignore:
         - 'docs/**'
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: ubuntu-latest

.github/workflows/tests.yml

@@ -9,6 +9,8 @@ on:
     paths-ignore:
       - 'docs/**'
 
+permissions: {}
+
 jobs:
   check_code_quality:
     runs-on: ubuntu-latest

.github/workflows/torch_compile_tests.yml

@@ -17,6 +17,8 @@ env:
   # To be able to run tests on CUDA 12.2
   NVIDIA_DISABLE_REQUIRE: "1"
 
+permissions: {}
+
 jobs:
   run_tests_with_compile:
     runs-on:

.github/workflows/trufflehog.yml

@@ -3,6 +3,8 @@ on:
 
 name: Secret Leaks
 
+permissions: {}
+
 jobs:
   trufflehog:
     runs-on: ubuntu-latest

.github/workflows/upload_pr_documentation.yml

@@ -6,6 +6,8 @@ on:
     types:
       - completed
 
+permissions: {}
+
 jobs:
   build:
     uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@main

.github/workflows/zizmor.yaml

@@ -8,6 +8,8 @@ on:
     paths:
       - '.github/**'
 
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor latest via Cargo

.github/zizmor.yml

@@ -8,8 +8,8 @@ rules:
       # the docker buildx binary is cached and zizmor warns about a cache poisoning attack.
       # OTOH this cache would make us more resilient against an intrusion on docker-buildx' side.
       # There is no obvious benefit so we leave it as it is.
-      - build_docker_images.yml:35:9
-      - build_docker_images.yml:68:9
-      - build_docker_images.yml:101:9
-      - build_docker_images.yml:134:9
-      - build_docker_images.yml:167:9
+      - build_docker_images.yml:37:9
+      - build_docker_images.yml:70:9
+      - build_docker_images.yml:103:9
+      - build_docker_images.yml:136:9
+      - build_docker_images.yml:169:9