Add explicit permissions to CI workflow

- Added workflow-level default permissions (contents: read)
- Added job-level permissions for all jobs following least privilege:
  - build: contents:read, actions:write, security-events:write
  - upload-event-file: contents:read, actions:write
  - build-for-e2e-test: contents:read, actions:write
  - e2e-test: contents:read, actions:write, checks:write
  - publish: contents:write

Fixes #1457

Author: yugannkt

.github/workflows/CI.yml

@@ -11,8 +11,15 @@ on:
     - cron: "0 7 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: read
+      actions: write
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
@@ -85,6 +92,9 @@ jobs:
         if: matrix.runner-os == 'ubuntu-latest'
 
   upload-event-file:
+    permissions:
+      contents: read
+      actions: write
     runs-on: ubuntu-latest
     steps:
       # This is used by the subsequent publish-test-results.yaml
@@ -95,6 +105,9 @@ jobs:
           path: ${{ github.event_path }}
 
   build-for-e2e-test:
+    permissions:
+      contents: read
+      actions: write
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == 'github'
     strategy:
       fail-fast: false
@@ -140,6 +153,10 @@ jobs:
             dist/win-x64/gei-windows-amd64.exe
 
   e2e-test:
+    permissions:
+      contents: read
+      actions: write
+      checks: write
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == 'github'
     needs: [build-for-e2e-test]
     strategy:
@@ -276,6 +293,8 @@ jobs:
         shell: pwsh
 
   publish:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
     needs: [build, e2e-test]