Restrict job permissions in GitHub actions workflows

Restrict the GitHub token permissions only to the required ones, i.e.
just read-only access to the code.

This is done in order to reduce the potential harm in case of a
malicious pull request, see GitHub blog post at
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>

Closes #22574.

.github/workflows/ci.yml

@@ -45,6 +45,9 @@ on:
       - '*.yml'
       - 'wxwidgets.props'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.runner }}

.github/workflows/ci_mac.yml

@@ -63,6 +63,9 @@ on:
     - '*.yml'
     - 'wxwidgets.props'
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     defaults:

.github/workflows/ci_mac_xcode.yml

@@ -63,6 +63,9 @@ on:
     - '*.yml'
     - 'wxwidgets.props'
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     defaults:

.github/workflows/ci_msw.yml

@@ -45,6 +45,9 @@ on:
       - '*.md'
       - '*.yml'
 
+permissions:
+  contents: read
+
 jobs:
   msw-msvs:
     runs-on: windows-${{ matrix.vsversion }}

.github/workflows/ci_msw_cross.yml

@@ -49,6 +49,9 @@ on:
       - '*.yml'
       - 'wxwidgets.props'
 
+permissions:
+  contents: read
+
 jobs:
   msw-cross-build:
     # Set up this job to run in a Debian Sid container because it has recent

.github/workflows/code_checks.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   check-unix:
     runs-on: ubuntu-20.04

.github/workflows/docs_update.yml

@@ -18,6 +18,9 @@ on:
   workflow_dispatch:
 
 
+permissions:
+  contents: read
+
 jobs:
   update:
     runs-on: ubuntu-20.04