GitHub Workflows security hardening

[sashashura]

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

[sashashura]

@tahina-pro

[sashashura]

@kant2002 could you please review?

[sashashura]

An example of a recent workflow run with unrestricted permissions:

[tahina-pro]

Thanks Alex for your initiative. I believe we still have the right permissions to push hints and snapshot with the separate DZOMO_GITHUB_TOKEN when manually triggering the workflow appropriately, but let me check that.

[tahina-pro]

Alas, with this PR as it is now, the answer is no: we are hit by https://github.com/orgs/community/discussions/26694 . From what I understand from that discussion and https://github.com/actions/checkout#checkout-v3, the token used by actions/checkout is persisted by default, and in that case, it is impossible to also use a separate token at the same time.
I opened sashashura#1 to fix that. @sashashura Could you please have a look? Thank you in advance!

[sashashura]

Could you try with the following code instead? It sounds to me you have a special token and don't need the autogenerated one.

      - name: Check out repo        
        uses: actions/checkout@v2
        with:
          token: ${{ secrets.DZOMO_GITHUB_TOKEN }}

In the referenced link it is about doing git push which fails with insufficient permissions. Could you please point me where push is needed in your case? If I misunderstood you, could you please show me the workflow run that fails?