Set read-only top-level permissions on all workflows

[pnacht]

Hey @cowtowncoder, I'm Pedro and I'm back (see #896) hoping to offer a bit more help with security enhancements.

This time around, I'd like to suggest you add top-level permissions to your workflows. This is equivalent to the work done in #792, but for cifuzz.yml and release.yml. Yes, I forgot to put top-level permissions on the workflow I submitted in my last PR. 🤦‍♂️

I'm sending a PR with these changes alongside this issue to keep things simple.

These top-level permissions are necessary because workflows run with an underlying GITHUB_TOKEN that, by default, comes with write-all permissions. However, this default can be modified to read-only. If you prefer doing this (I'd recommend so, in order to future proof against any other well-meaning workflows that accidentally forget to add top-level permissions...), follow these steps:

1. Open the repo settings
2. Go to Actions > General
3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

This basically makes all workflows without top-level permissions run with

permissions:
  contents: read
  packages: read
  # and nothing else

instead of the default

permissions: write-all

If a workflow ever needs broader permissions, they can be set at the top level or job level without a problem.

[cowtowncoder]

@pnacht Thanks! Default change sounds good; I don't think most workflows need write access to repos (they do publish to other systems), will do that.

[cowtowncoder]

Thank you @pnacht !