[CI] Use least privileged tokens by default in workflows

Author: lukaszstolarczuk

.github/workflows/benchmarks.yml

@@ -22,11 +22,13 @@ on:
           - L0_PERF
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   manual:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Compute Benchmarks
     uses: ./.github/workflows/reusable_benchmarks.yml
     with:

.github/workflows/reusable_benchmarks.yml

@@ -20,8 +20,7 @@ on:
         default: 'L0_PERF'
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 env:
   UMF_DIR: "${{github.workspace}}/umf-repo"
@@ -33,6 +32,9 @@ jobs:
     # run only on upstream; forks will not have the HW
     if: github.repository == 'oneapi-src/unified-memory-framework'
     runs-on: ${{ inputs.runner }}
+    permissions:
+      contents: write
+      pull-requests: write
 
     steps:
     - name: Add comment to PR