ENH: Set GitHub Workflow permissions to read only

[joycebrum]

Proposed new feature or change:

Hi, I noticed this opened PR https://github.com/FasterXML/jackson-core has some overlap to the change I was about to suggest.

Since GitHub grants write permission to GITHUB_TOKEN by default, it is a good practice recommended both by the OpenSSF Scorecard and the Github itself to always use credentials that are minimally scoped.

This means setting the top level permission as contents: read (usually enough to most actions) or even read-all, and grant any write permission at the job level

This way, even in the case of a compromised workflow, an attacker would not be able to exploit the GITHUB_TOKEN permissions and won't be able to do much.

If that's ok I would like to suggest a PR only with the changes suggested above (I know that the PR opened by step security grouped lots of changes such as Token Permission, Pinned Dependencies, Harden Runner adoption, Dependabot adoption...)

Let me know if that's ok for you and I'll submit it as ASAP.

[mattip]

Sounds reasonable, but I don't see where we are currently missing permissions. Other than the circleci notification workflow, which needs write-permissions.

[joycebrum]

Actually it is only circleci that is missing the top level permissions and have all write permissions. Sorry to not make it clear that it was not about all the workflows. All the other ones are already with the permission minimally scoped which is great!

I'll submit a PR to circleci and also reduce the scope of the write permission in the labeler. All the others are fine.