Make GHA permissions explicit and often narrower

This adds `permissions` keys at workflow or job level in a number
of places, usually specifying minimal required permissions.

When a `permissions` key contains at least one subkey setting some
permission (in any way), all permissions it does not have subkeys
for are treated as if they were present with a value of `none`.
This relies on that rather than listing all unneeded permissions
everywhere with `none`.

So most `permissions` added here have only `contents: read`, and:

- The only place where `none` is specified explicitly is in the
  CIFuzz workflow, where no permissions (of those controllable
  through `permissions`) are needed.

- The only place any `write` permissions are specified are
  `contents: write` in the jobs of the release workflow that need
  it. All jobs involved in preparing a release currently have at
  least one step that requires this. But `contents: read` is still
  applied at the workflow level, because the `installation` job
  (which tests installing) does not need any `write` permissions.

Note that some jobs that don't have any write permissions of the
kind that is controlled under a `permissions` key do still perform
writes to data accessible outside of their run: caching (including
creating new caches), and uploading artifacts, still works.

Relevant documentation:

- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions
- https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps

Author: EliahKagan

.github/workflows/ci.yml

@@ -13,6 +13,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   CLICOLOR: 1

.github/workflows/cifuzz.yml

@@ -20,6 +20,9 @@ jobs:
   Fuzzing:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: none  # The fuzzing actions don't use our github.token at all.
+
     steps:
       - name: Build Fuzzers
         id: build

.github/workflows/cron.yml

@@ -5,6 +5,9 @@ on:
     - cron: '0 13,1 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   stress:
     runs-on: ubuntu-latest

.github/workflows/msrv.yml

@@ -13,6 +13,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-msrv:
     name: cargo check MSRV

.github/workflows/release.yml

@@ -12,6 +12,9 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions:
+  contents: read  # Set more permissively in jobs that need `write`.
+
 defaults:
   run:
     shell: bash
@@ -21,6 +24,9 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
 #    env:
 #      # Set to force version number, e.g., when no tag exists.
 #      VERSION: TEST-0.0.0
@@ -204,6 +210,9 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: write
+
     env:
       RUST_BACKTRACE: '1'  # Emit backtraces on panics.
       CARGO_TERM_COLOR: always
@@ -295,6 +304,9 @@ jobs:
         # These features need to be exactly the same as the features in build-release.
         feature: [ small, lean, max, max-pure ]
 
+    permissions:
+      contents: write
+
     env:
       BASH_ENV: ./helpers.sh
       REPOSITORY: ${{ github.repository }}
@@ -354,6 +366,9 @@ jobs:
 
     needs: [ create-release, build-release, build-macos-universal2-release ]
 
+    permissions:
+      contents: write
+
     env:
       REPOSITORY: ${{ github.repository }}
       VERSION: ${{ needs.create-release.outputs.version }}