Contain CI permissions to avoid global read-write (#4348)

Addresses code scanning alert. Fix generated by Copilot Autofix.

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Felipe R. Monteiro <[email protected]>

Author: 3 people

.github/workflows/bench-compiler.yml

@@ -3,6 +3,8 @@
 #
 # Run performance benchmarks comparing the compiler performance of two different Kani versions.
 name: Kani Compiler Performance Benchmarks
+permissions:
+  contents: read
 on:
   push:
     branches:
@@ -161,4 +163,4 @@ jobs:
           export PATH="${{ github.workspace }}/new/scripts:$PATH"
           cd new/tests/perf/s2n-quic && ../../../target/release/compile-timer --out-path compile-times-new.json --also-visit quic/s2n-quic-core --also-visit quic/s2n-quic-platform --also-visit common/s2n-codec --skip-current
       - name: Run analysis between the two
-        run: ./new/target/release/compile-analyzer --path-pre old/tests/perf/s2n-quic/compile-times-old.json --path-post new/tests/perf/s2n-quic/compile-times-new.json --only-markdown --suite-name long >> "$GITHUB_STEP_SUMMARY"
+        run: ./new/target/release/compile-analyzer --path-pre old/tests/perf/s2n-quic/compile-times-old.json --path-post new/tests/perf/s2n-quic/compile-times-new.json --only-markdown --suite-name long >> "$GITHUB_STEP_SUMMARY"

.github/workflows/bench-e2e.yml

@@ -7,6 +7,8 @@
 #  - Changes are pushed to 'main'.
 #  - Triggered by another workflow
 name: Kani End-To-End Performance Benchmarks
+permissions:
+  contents: read
 on:
   push:
     branches:

.github/workflows/cbmc-latest.yml

@@ -5,6 +5,9 @@
 name: >-
   Nightly: CBMC Latest
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "0 9 * * *" # Run this every day at 9 AM UTC (4 AM ET/1 AM PT)

.github/workflows/extra_jobs.yml

@@ -18,6 +18,8 @@
 # See https://github.com/actions/labeler?tab=readme-ov-file#recommended-permissions for more details.
 
 name: Kani Extra
+permissions:
+  contents: read
 on:
   pull_request_target:
   merge_group:
@@ -27,7 +29,6 @@ jobs:
   auto-label:
     name: Auto Label
     permissions:
-      contents: read
       pull-requests: write
     outputs:
       all-labels: ${{ steps.labeler.outputs.all-labels }}
@@ -46,13 +47,11 @@ jobs:
   end-to-end-bench:
     name: End-to-End Benchmarks
     needs: auto-label
-    permissions: {}
     if: ${{ contains(needs.auto-label.outputs.all-labels, 'Z-EndToEndBenchCI') && github.event_name != 'merge_group' }}
     uses: ./.github/workflows/bench-e2e.yml
 
   compiler-bench:
     name: Compiler Benchmarks
     needs: auto-label
-    permissions: {}
     if: ${{ contains(needs.auto-label.outputs.all-labels, 'Z-CompilerBenchCI') && github.event_name != 'merge_group' }}
     uses: ./.github/workflows/bench-compiler.yml

.github/workflows/format-check.yml

@@ -1,6 +1,8 @@
 # Copyright Kani Contributors
 # SPDX-License-Identifier: Apache-2.0 OR MIT
 name: Kani Format Check
+permissions:
+  contents: read
 on:
   pull_request:
   merge_group:

.github/workflows/release.yml

@@ -6,6 +6,8 @@
 # The release will create a draft release and upload the bundles to it, and it will only run when we push a new
 # release tag (i.e.: tag named `kani-*`).
 name: Release Bundle
+permissions:
+  contents: read
 on:
   pull_request:
   merge_group:
@@ -272,6 +274,8 @@ jobs:
     if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/kani-') }}
     name: Release
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     needs: [build_bundle_macos_x86_64, build_bundle_macos_aarch64, build_bundle_linux_x86_64, build_bundle_linux_aarch64, test_bundle]
     outputs:
       version: ${{ steps.versioning.outputs.version }}

.github/workflows/slow-tests.yml

@@ -5,6 +5,9 @@
 name: >-
   Nightly: Slow tests
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "30 5 * * *" # Run this every day at 05:30 UTC

.github/workflows/verify-std-check.yml

@@ -13,6 +13,8 @@
 # Changes unrelated to the toolchain should match the current status of main.
 
 name: Check Std Verification
+permissions:
+  contents: read
 on:
   pull_request:
   workflow_call: