Add read-only permissions to cifuzz.yml

[pnacht]

By default, GitHub workflows run with write-all permissions. This is dangerous, since it opens the project up to supply-chain attacks. GitHub itself recommends ensuring all workflows run with minimal permissions.

I've taken a look at harfbuzz's workflows, and most already have top-level read-only permissions (added in #3639). However, cifuzz.yml doesn't have this top-level permissions block.

This issue can be solved in two ways:

• add top-level read-only permissions to cifuzz.yml; and/or
• set the default token permissions to read-only in the repo settings.

I'll be sending a PR along with this issue that sets the top-level permissions. If you instead (or also) wish to modify the default token permissions:

1. Open the repo settings
2. Go to Actions > General
3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

---

Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

[behdad]

Thanks Pedro.