ci: add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18766)

.github/workflows/ci.yml

@@ -18,6 +18,9 @@ on: [pull_request, push]
 # before_script:
 #     - make="make -s"
 
+permissions:
+  contents: read
+
 jobs:
   check_update:
     runs-on: ubuntu-latest

.github/workflows/compiler-zoo.yml

@@ -9,6 +9,9 @@ name: Compiler Zoo CI
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   compiler:
     strategy:

.github/workflows/coveralls.yml

@@ -12,8 +12,14 @@ on:
   schedule:
     - cron:  '49 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
+    permissions:
+      checks: write  # for coverallsapp/github-action to create new checks
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2

.github/workflows/cross-compiles.yml

@@ -9,6 +9,9 @@ name: Cross Compile
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   cross-compilation:
     strategy:

.github/workflows/fips-checksums.yml

@@ -8,6 +8,9 @@
 name: FIPS Checksums
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   compute-checksums:
     runs-on: ubuntu-latest

.github/workflows/fips-label.yml

@@ -12,8 +12,14 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   apply-label:
+    permissions:
+      actions: read
+      pull-requests: write
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.event == 'pull_request' }}
     steps:

.github/workflows/fips-provider.yml

@@ -8,6 +8,9 @@
 name: Provider compat
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   fips-provider-30:
     runs-on: ubuntu-latest

.github/workflows/fuzz-checker.yml

@@ -9,6 +9,9 @@ name: Fuzz-checker CI
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   fuzz-checker:
     strategy:

.github/workflows/main.yml

@@ -7,6 +7,9 @@
 
 name: CIFuzz
 on: [pull_request, push]
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest

.github/workflows/os-zoo.yml

@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: '0 5 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   unix:
     strategy:

.github/workflows/run-checker-ci.yml

@@ -8,6 +8,9 @@
 # Jobs run per pull request submission
 name: Run-checker CI
 on: [pull_request, push]
+permissions:
+  contents: read
+
 jobs:
   run-checker:
     strategy:

.github/workflows/run-checker-daily.yml

@@ -11,6 +11,9 @@ name: Run-checker daily
 on:
   schedule:
     - cron: '0 6 * * *'
+permissions:
+  contents: read
+
 jobs:
   run-checker:
     strategy:

.github/workflows/run-checker-merge.yml

@@ -9,6 +9,9 @@ name: Run-checker merge
 # Jobs run per merge to master
 
 on: [push]
+permissions:
+  contents: read
+
 jobs:
   run-checker:
     strategy:

.github/workflows/static-analysis.yml

@@ -12,6 +12,9 @@ on:
   schedule:
     - cron:  '20 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   coverity:
     runs-on: ubuntu-latest

.github/workflows/windows.yml

@@ -9,6 +9,9 @@ name: Windows GitHub CI
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   shared:
     # Run a job for each of the specified target architectures: