Add minimum token permissions for all GitHub workflow files

[Copilot]

This PR adds minimum token permissions to all GitHub workflow files to follow OSSF Scorecard security best practices as outlined in the Token Permissions check documentation.

Changes Made

• Added permissions: contents: read to 12 workflow files that previously had no permissions declared:

  • boost_log.yml
  • fluentd.yml
  • geneva_metrics.yml
  • geneva_trace.yml
  • glog.yml
  • httpd.yml
  • log4cxx.yml
  • nginx.yml
  • prometheus.yml
  • spdlog.yml
  • user_events.yml
  • webserver.yml

• Added job-specific permissions: contents: write to the create-release and upload-release-artifacts jobs in nginx.yml that use softprops/action-gh-release@v2 for creating GitHub releases

• Left unchanged workflows that already had appropriate permissions:

  • fossa.yml - already had permissions: contents: read
  • ossf-scorecard.yml - kept existing permissions: read-all as required

Security Benefits

These changes ensure that:

• Workflows run with minimal necessary permissions by default
• Only specific jobs that need elevated permissions (like creating releases) have them
• The principle of least privilege is followed across all CI/CD workflows

All workflow files remain syntactically valid and functionally equivalent while now following security best practices.

Fixes #1.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[trask]

Additional prompts:

• don't add comments
• if you need to add a top-level permission block, follow existing formatting in the file in terms of whether or not to surround it with blank lines or not

[Copilot]

Additional prompts:

• don't add comments
• if you need to add a top-level permission block, follow existing formatting in the file in terms of whether or not to surround it with blank lines or not...

Updated the formatting to follow existing blank line patterns in each workflow file. Files that originally had no blank line before the jobs: section now have permissions added without blank lines, while files that had blank lines maintain that pattern. Commit 9a1f64b addresses the formatting feedback.

[trask]

Additional prompts:

• ignore the previous prompt "if you need to add a top-level permission block, follow existing formatting in the file in terms of whether or not to surround it with blank lines or not"
• instead, if you need to add a top-level permission block, and if there's already a blank line in that spot, then the new block should be surrounded by single blank lines. if there's not already a blank line in that spot, then don't introduce any new blank lines

[Copilot]

Additional prompts:

• ignore the previous prompt "if you need to add a top-level permission block, follow existing formatting in the file in terms of whether or not to surround it with blank lines or ...

The formatting has been updated according to the new rule. Files that originally had blank lines before jobs: now have permissions blocks surrounded by blank lines, while files that originally had no blank line before jobs: (geneva_metrics.yml and nginx.yml) now have permissions blocks with no surrounding blank lines. All files follow the existing formatting patterns. Commit 9a1f64b.