Fix Token-Permissions OpenSSF remarks (#655)

Author: aobolensk

.github/workflows/codeql.yml

@@ -5,6 +5,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/labeler.yml

@@ -3,6 +3,9 @@ name: "Label PRs"
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   label-pull-requests:
     runs-on: ubuntu-24.04

.github/workflows/mac.yml

@@ -1,6 +1,9 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   clang-build:
     runs-on: macOS-latest

.github/workflows/perf.yml

@@ -1,6 +1,10 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   ubuntu-gcc-build-perf-stats:
     runs-on: ubuntu-24.04

.github/workflows/pre-commit.yml

@@ -5,6 +5,10 @@ on:
   pull_request:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-24.04

.github/workflows/static-analysis-pr.yml

@@ -19,6 +19,10 @@ concurrency:
         github.event_name != 'merge_group' &&
         !startsWith(github.ref, 'refs/heads/gh-readonly-queue') }}
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   clang-tidy:
     runs-on: ubuntu-24.04

.github/workflows/ubuntu.yml

@@ -1,6 +1,10 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   gcc-build:
     runs-on: ${{ matrix.os }}
@@ -330,6 +334,11 @@ jobs:
       - gcc-test-extended
       - clang-test-extended
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+      issues: write
+      pull-requests: write
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:

.github/workflows/windows.yml

@@ -1,6 +1,9 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   msvc-build:
     runs-on: windows-latest