ci: explicit permissions to actions (#529)

Author: doublethink

.github/workflows/ci.yml

@@ -8,6 +8,9 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CARGO_INCREMENTAL: 0
   CARGO_NET_RETRY: 10
@@ -74,7 +77,7 @@ jobs:
           envFile: '.env'
 
       - name: Install ONNX Runtime Library
-        run: ./scripts/install_onnx.sh ${{ env.ONNXRUNTIME_VERSION }} linux x64 /tmp/onnxruntime
+        run: ./scripts/install_onnx.sh "${{ env.ONNXRUNTIME_VERSION }}" linux x64 /tmp/onnxruntime
 
       - name: Prepare test eszip binaries
         if: |

.github/workflows/mirror.yml

@@ -8,6 +8,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   mirror:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -7,6 +7,9 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest