ci: Limit GitHub token permissions for workflows.

This limits the ability for an Action to do mischief with this token.

Fixes #22786.

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>

.github/workflows/codeql-analysis.yml

@@ -12,8 +12,15 @@ concurrency:
   group: "${{ github.workflow }}-${{ github.head_ref || github.run_id }}"
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL:
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/analyze to upload SARIF results
     if: ${{!github.event.repository.private}}
     runs-on: ubuntu-latest
 

.github/workflows/production-suite.yml

@@ -33,6 +33,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   production_build:
     # This job builds a release tarball from the current commit, which

.github/workflows/update-oneclick-apps.yml

@@ -2,6 +2,9 @@ name: Update one click apps
 on:
   release:
     types: [published]
+permissions:
+  contents: read
+
 jobs:
   update-digitalocean-oneclick-app:
     runs-on: ubuntu-latest

.github/workflows/zulip-ci.yml

@@ -19,6 +19,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     strategy: