Limit GH Actions Token Permissions (#14333)

Author: maennchen

.github/workflows/ci-markdown.yml

@@ -14,6 +14,9 @@ on:
       - 'lib/**/*.md'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint Markdown content

.github/workflows/release.yml

@@ -16,13 +16,13 @@ env:
   LANG: C.UTF-8
 
 permissions:
-  contents: write
-  id-token: write
-  attestations: write
+  contents: read
 
 jobs:
   create_draft_release:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
@@ -122,6 +122,9 @@ jobs:
 
     runs-on: ${{ matrix.flavor == 'linux' && 'ubuntu-22.04' || 'windows-2022' }}
 
+    permissions:
+      contents: write
+
     steps:
       - name: "Download build"
         uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
@@ -181,6 +184,11 @@ jobs:
 
     runs-on: ubuntu-24.04
 
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+
     steps:
       - name: Use HTTPS instead of SSH for Git cloning
         id: git-config
@@ -255,6 +263,9 @@ jobs:
     needs: [create_draft_release, build, sign, sbom]
     runs-on: ubuntu-22.04
 
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with: