ci: set top level permissions to satisfy code scanning

.github/workflows/build.yml

@@ -1,14 +1,14 @@
 name: build
 
-permissions:
-  contents: write
-
 on:
   pull_request:
     branches: [ master ]
   release:
     types: [edited, published]
 
+permissions:
+  contents: write
+
 jobs:
   build:
     name: PyInstaller for ${{ matrix.os }}

.github/workflows/changelog.yml

@@ -7,6 +7,8 @@ on:
   pull_request_target:
     types: [opened, edited, synchronize]
 
+permissions: read-all
+
 jobs:
   check_changelog:
     # no need to check for dependency updates via dependabot

.github/workflows/publish.yml

@@ -2,13 +2,13 @@
 # https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/
 name: publish to pypi
 
-permissions:
-  contents: write
-
 on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   pypi-publish:
     runs-on: ubuntu-latest

.github/workflows/tag.yml

@@ -4,6 +4,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   tag:
     name: Tag capa rules

.github/workflows/tests.yml

@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions: read-all
+
 # save workspaces to speed up testing
 env:
   CAPA_SAVE_WORKSPACE: "True"