GitHub Workflows security hardening (#1894)

* build: harden continuous-integration.yml permissions

Signed-off-by: Alex <[email protected]>

* build: harden website.yml permissions

Signed-off-by: Alex <[email protected]>

---------

Signed-off-by: Alex <[email protected]>

Author: sashashura

.github/workflows/continuous-integration.yml

@@ -12,6 +12,8 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   lint-build:
     name: "Lint & Build"

.github/workflows/website.yml

@@ -4,8 +4,11 @@ on:
   push:
     branches:
       - docs
+permissions: {}
 jobs:
   build:
+    permissions:
+      contents: write
     name: Build & Deploy
     runs-on: ubuntu-20.04
     steps: