GitHub Workflows security hardening

[sashashura]

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

[hashicorp-cla]

All committers have signed the CLA.

[crw]

Thanks for this submission! The safety and security of our products is deeply important to us. Our build process is designed and vetted by our internal release engineering and security teams. Although we do not typically accept pull requests for the build and release process, I will run this PR past those teams for review. Thanks for your consideration on this issue.

[sashashura]

Hi @crw, what was their response? Do you have any questions?

[sashashura]

An example of a recent workflow run with unrestricted permissions:

[sashashura]

@liamcervante @apparentlymart could you please review it?

[crw]

The internal security team approved the general approach (per @sarahethompson). The core maintainers would still need to review and accept this specific PR. I will raise it with the team. Apologies for the delay.