Fix CodeQL warnings about lack of workflow permissions

Author: timgraham

.github/workflows/linters1.yml

@@ -0,0 +1,48 @@
+name: Linters
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+          cache-dependency-path: 'pyproject.toml'
+      - name: Install Python dependencies
+        run: |
+          python -m pip install -U pip pre-commit
+      - name: Run linters
+        run: |
+          pre-commit run --hook-stage=manual --all-files
+  docs:
+    name: Docs Checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
+        with:
+          cache: 'pip'
+          cache-dependency-path: 'pyproject.toml'
+          python-version: '3.10'
+      - name: Install dependencies
+        run: |
+          pip install -U pip
+          pip install -e ".[docs]"
+      - name: Build docs
+        run: |
+          cd docs
+          make html

.github/workflows/test-python-atlas.yml

@@ -54,3 +54,5 @@ jobs:
         run: bash .github/workflows/start_local_atlas.sh mongodb/mongodb-atlas-local:7
       - name: Run tests
         run: python3 django_repo/tests/runtests.py --settings mongodb_settings -v 2
+    permissions:
+        contents: read

.github/workflows/test-python.yml

@@ -55,3 +55,5 @@ jobs:
           mongodb-version: 6.0
       - name: Run tests
         run: python3 django_repo/tests/runtests_.py
+    permissions:
+        contents: read

.github/workflows/test-python1.yml

@@ -0,0 +1,59 @@
+name: Python Tests
+
+on:
+  pull_request:
+      paths:
+      - '**.py'
+      - '!setup.py'
+      - '.github/workflows/test-python.yml'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash -eux {0}
+
+jobs:
+  build:
+    name: Django Test Suite
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout django-mongodb-backend
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: install django-mongodb-backend
+        run: |
+          pip3 install --upgrade pip
+          pip3 install -e .
+      - name: Checkout Django
+        uses: actions/checkout@v4
+        with:
+          repository: 'mongodb-forks/django'
+          ref: 'mongodb-5.2.x'
+          path: 'django_repo'
+          persist-credentials: false
+      - name: Install system packages for Django's Python test dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install libmemcached-dev
+      - name: Install Django and its Python test dependencies
+        run: |
+          cd django_repo/tests/
+          pip3 install -e ..
+          pip3 install -r requirements/py3.txt
+      - name: Copy the test settings file
+        run: cp .github/workflows/mongodb_settings.py django_repo/tests/
+      - name: Copy the test runner file
+        run: cp .github/workflows/runtests.py django_repo/tests/runtests_.py
+      - name: Start MongoDB
+        uses: supercharge/mongodb-github-action@90004df786821b6308fb02299e5835d0dae05d0d # 1.12.0
+        with:
+          mongodb-version: 6.0
+      - name: Run tests
+        run: python3 django_repo/tests/runtests_.py
+    permissions:
+        contents: read