Complete CI permissions limiting (#4394)

This is a follow-up to #4348 to address the remaining code scanning
alerts.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.

Author: tautschnig

.github/workflows/deny.yml

@@ -5,6 +5,8 @@
 # 2. Checks Rust-Sec registry for security advisories.
 
 name: Cargo Deny
+permissions:
+  contents: read
 on:
   pull_request:
   merge_group:

.github/workflows/kani.yml

@@ -16,6 +16,8 @@ env:
 jobs:
   regression:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [macos-13, ubuntu-22.04, ubuntu-24.04, macos-14, ubuntu-24.04-arm]
@@ -33,6 +35,8 @@ jobs:
 
   benchcomp-tests:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout Kani
         uses: actions/checkout@v5
@@ -56,6 +60,8 @@ jobs:
 
   perf:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout Kani
         uses: actions/checkout@v5
@@ -72,6 +78,8 @@ jobs:
 
   llbc-regression:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout Kani
         uses: actions/checkout@v5