Explicitly set workflow permissions

If a GitHub Actions job or workflow has no explicit permissions set,
then the repository permissions are used. Repositories created under
organizations inherit the organization permissions.

Often these permissions do not adhere to the principle of least
privilege and can be reduced to read-only, leaving the write permission
only to a specific types as issues: write or pull-requests: write.

Author: ptziegler

.github/workflows/maven.yml

@@ -4,6 +4,8 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     strategy:

.github/workflows/unit-tests.yml

@@ -6,12 +6,19 @@ on:
     types:
       - completed
 
+permissions: {}
+
 jobs:
   unit-test-results:
     name: Unit Test Results
     runs-on: ubuntu-latest
     if: github.event.workflow_run.conclusion != 'skipped'
-
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: read
+      issues: read
+      actions: read
     steps:
       - name: Download and Extract Artifacts
         env: