fix(actions) restrict permission of action configuration files

Author: fabiencasenave

.github/workflows/checksum_release.yml

@@ -5,6 +5,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   get-sha256:
     runs-on: ubuntu-latest

.github/workflows/doc.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: '0 0 * * *'  # Every day at 00:00 UTC
 
+permissions:
+  contents: read
+
 jobs:
   doc:
     runs-on: ubuntu-latest

.github/workflows/draft-pdf.yml

@@ -1,4 +1,8 @@
 name: Draft JOSS PDF
+
+permissions:
+  contents: read
+
 on:
   push:
     paths:

.github/workflows/lint-format-check.yaml

@@ -1,5 +1,8 @@
 name: Lint, format and type check
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [main]

.github/workflows/pr-title-checker.yml

@@ -1,5 +1,9 @@
 name: PR Title Checker
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
   pull_request:
     types: [opened, edited, synchronize, reopened]

.github/workflows/publish-pypi.yml

@@ -7,6 +7,8 @@ on:
 jobs:
   test:
     name: test
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -56,9 +58,9 @@ jobs:
   build:
     name: Build wheels for multiple Python versions
     needs: test
-    runs-on: ubuntu-latest
     permissions:
       contents: read
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/testing.yml

@@ -1,5 +1,8 @@
 name: Tests and Examples
 
+permissions:
+  contents: read
+
 on:
   push:
   pull_request: