chore: update action permissions to reduce write privilege scope

Author: brianheineman

.github/workflows/checks.yml

@@ -7,6 +7,9 @@ env:
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     runs-on: ubuntu-22.04

.github/workflows/clear-caches.yml

@@ -7,6 +7,9 @@ on:
     - cron: '0 4 * * MON'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   clear-caches:
     runs-on: ubuntu-latest

.github/workflows/pr-benchmarks.yml

@@ -2,15 +2,17 @@ name: Benchmarks
 
 on:
   pull_request:
-    types: [opened, reopened, synchronize]
+    types: [ opened, reopened, synchronize ]
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   benchmark:
     name: Run Benchmarks
     runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4

.github/workflows/pr-labeler.yml

@@ -2,15 +2,17 @@ name: Pull request labeler
 
 on:
   pull_request_target:
-    types: [opened, edited]
+    types: [ opened, edited ]
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   main:
+    name: PR Labeler
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Label pull request
         uses: release-drafter/release-drafter@v6

.github/workflows/release-drafter.yml

@@ -12,12 +12,14 @@ on:
         type: string
 
 permissions:
-  contents: write
+  contents: read
   pull-requests: read
 
 jobs:
   main:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Draft release
         uses: release-drafter/release-drafter@v6