[Security] add permissions to workflows

Author: wlemkows

.github/workflows/bandit.yml

@@ -7,6 +7,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Bandit

.github/workflows/cmake.yml

@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-build:
     name: Build - Ubuntu

.github/workflows/codeql.yml

@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   analyze-ubuntu:
     name: Analyze on Ubuntu

.github/workflows/coverage.yml

@@ -2,6 +2,9 @@ name: Coverage
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-build:
     name: Build - Ubuntu

.github/workflows/coverity.yml

@@ -23,6 +23,8 @@ env:
   COVERITY_SCAN_BRANCH_PATTERN:      "main"
   TRAVIS_BRANCH:                     ${{ github.ref_name }}
 
+permissions:
+  contents: read
 
 jobs:
   linux:

.github/workflows/e2e_nightly.yml

@@ -5,6 +5,9 @@ on:
     # Run every day at 23:00 UTC
     - cron: '0 23 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-build-hw:
     name: Build SYCL, UR, run E2E

.github/workflows/nightly.yml

@@ -5,6 +5,9 @@ on:
     # Run every day at 23:00 UTC
     - cron: '0 23 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   long-fuzz-test:
     name: Run long fuzz tests

.github/workflows/prerelease.yml

@@ -6,6 +6,9 @@ on:
     # At 23:00 on Friday, GitHub actions schedule is in UTC time.
     - cron: 0 23 * * 5
 
+permissions:
+  contents: read
+
 jobs:
   weekly-prerelease:
     runs-on: ubuntu-latest