Use minimum required permissions for GitHub workflows

This reduces the attack surface if the workflows are ever compromised.

Author: triallax

.github/workflows/ci.yml

@@ -10,6 +10,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest

.github/workflows/docs.yml

@@ -5,6 +5,10 @@ on:
     branches:
       - master
 
+permissions:
+  # The generated docs are written to the `gh-pages` branch.
+  contents: write
+
 jobs:
   build-and-deploy-docs:
     runs-on: ubuntu-latest