Remove unneeded GH perms

Reduce perms to least-necessary
Remove merge_queue.yml since it's never been used and is now stale
Remove comment-artifact, it hasn't worked in ages.

Author: vidplace7

.github/workflows/build_debian_src.yml

@@ -16,8 +16,7 @@ on:
         type: string
 
 permissions:
-  contents: write
-  packages: write
+  contents: read
 
 jobs:
   build-debian-src:

.github/workflows/build_one_target.yml

@@ -87,7 +87,7 @@ jobs:
 
   gather-artifacts:
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     needs: [version, build]

.github/workflows/daily_packaging.yml

@@ -16,7 +16,7 @@ on:
       - .github/workflows/hook_copr.yml
 
 permissions:
-  contents: write
+  contents: read
   packages: write
 
 jobs:

.github/workflows/docker_build.yml

@@ -37,7 +37,7 @@ on:
         value: ${{ jobs.docker-build.outputs.digest }}
 
 permissions:
-  contents: write
+  contents: read
   packages: write
 
 jobs:

.github/workflows/docker_manifest.yml

@@ -12,7 +12,7 @@ on:
         type: string
 
 permissions:
-  contents: write
+  contents: read
   packages: write
 
 jobs:

.github/workflows/hook_copr.yml

@@ -11,8 +11,7 @@ on:
         type: string
 
 permissions:
-  contents: write
-  packages: write
+  contents: read
 
 jobs:
   build-copr-hook:

.github/workflows/main_matrix.yml

@@ -28,6 +28,8 @@ on:
 
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   setup:
     strategy:
@@ -123,9 +125,16 @@ jobs:
 
   test-native:
     if: ${{ !contains(github.ref_name, 'event/') && github.repository == 'meshtastic/firmware' }}
+    permissions: # Needed for dorny/test-reporter.
+      contents: read
+      actions: read
+      checks: write
     uses: ./.github/workflows/test_native.yml
 
   docker:
+    permissions: # Needed for pushing to GHCR.
+      contents: read
+      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -150,9 +159,6 @@ jobs:
   gather-artifacts:
     # trunk-ignore(checkov/CKV2_GHA_1)
     if: github.repository == 'meshtastic/firmware'
-    permissions:
-      contents: write
-      pull-requests: write
     strategy:
       fail-fast: false
       matrix:
@@ -225,13 +231,6 @@ jobs:
           path: ./*.elf
           retention-days: 30
 
-      - uses: scruplelesswizard/comment-artifact@main
-        if: ${{ github.event_name == 'pull_request' }}
-        with:
-          name: firmware-${{matrix.arch}}-${{ needs.version.outputs.long }}
-          description: "Download firmware-${{matrix.arch}}-${{ needs.version.outputs.long }}.zip. This artifact will be available for 90 days from creation"
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
   shame:
     if: github.repository == 'meshtastic/firmware'
     continue-on-error: true
@@ -275,6 +274,8 @@ jobs:
       #   run: python3 bin/shame.py ${{ github.event.pull_request.number }} manifests-old/ manifests-new/
 
   release-artifacts:
+    permissions: # Needed for 'gh release upload'.
+      contents: write
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'workflow_dispatch' && github.repository == 'meshtastic/firmware' }}
     outputs:
@@ -366,6 +367,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   release-firmware:
+    permissions: # Needed for 'gh release upload'.
+      contents: write
     strategy:
       fail-fast: false
       matrix: