chore: ci: request contents read permissions explicitly in gha (#12055)

.github/workflows/build.yml

@@ -16,7 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   build:

.github/workflows/builtin-actor-tests.yml

@@ -8,7 +8,8 @@ on:
     branches:
       - release/*
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   release:

.github/workflows/check.yml

@@ -16,7 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   check-docsgen:

.github/workflows/docker.yml

@@ -19,7 +19,8 @@ defaults:
   run:
     shell: bash
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   docker:

.github/workflows/release.yml

@@ -17,7 +17,8 @@ defaults:
   run:
     shell: bash
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   build:

.github/workflows/sorted-pr-checks.yml

@@ -17,6 +17,8 @@ on:
       - completed
 
 permissions:
+  actions: read
+  checks: read
   pull-requests: write
 
 concurrency:

.github/workflows/stale.yml

@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: '0 12 * * *'
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:

.github/workflows/sync-master-main.yaml

@@ -5,7 +5,8 @@ on:
     branches:
       - master
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   sync:

.github/workflows/test.yml

@@ -16,7 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   discover: