Add more granular permissions

Author: reakaleek

.github/workflows/preview-build.yml

@@ -55,15 +55,18 @@ concurrency:
   cancel-in-progress: ${{ startsWith(github.event_name, 'pull_request') }}
 
 jobs:
-  
-  
   check:
     if: github.event.repository.fork == false # Skip running the job on the fork itself (It still runs on PRs on the upstream from forks)
     runs-on: ubuntu-latest
     outputs: 
       any_modified: ${{ steps.check-files.outputs.any_modified }}
     env:
       AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association }}
+    permissions: 
+      id-token: none
+      deployments: none
+      contents: read
+      pull-requests: read
     steps:
       - name: Checkout
         if: contains(fromJSON('["push", "merge_group", "workflow_dispatch"]'), github.event_name)
@@ -105,6 +108,11 @@ jobs:
     if: github.event.repository.fork == false # Skip running the job on the fork itself (It still runs on PRs on the upstream from forks)
     needs: check
     runs-on: ubuntu-latest
+    permissions:
+      id-token: none
+      deployments: none
+      contents: read
+      pull-requests: read
     outputs:
       content-source-match: ${{ steps.event-check.outputs.content-source-match != '' && steps.event-check.outputs.content-source-match || steps.match.outputs.content-source-match }}
       content-source-next: ${{ steps.event-check.outputs.content-source-next != '' && steps.event-check.outputs.content-source-next || steps.match.outputs.content-source-next }}
@@ -140,6 +148,11 @@ jobs:
   build:
     if: github.event.repository.fork == false # Skip running the job on the fork itself (It still runs on PRs on the upstream from forks)
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      deployments: write
+      contents: read
+      pull-requests: read
     env:
       GITHUB_PR_REF_NAME: ${{ github.event.pull_request.head.ref }}
       MATCH: ${{ needs.match.outputs.content-source-match }}