GitHub Workflows security hardening

[sashashura]

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

[codecov]

Codecov Report

Base: 65.28% // Head: 65.28% // No change to project coverage 👍

Coverage data is based on head (a8e62c7) compared to base (5d436ba).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3519   +/-   ##
=======================================
  Coverage   65.28%   65.28%           
=======================================
  Files         309      309           
  Lines       40873    40873           
  Branches     5381     5381           
=======================================
  Hits        26684    26684           
  Misses      13111    13111           
  Partials     1078     1078           

Flag	Coverage Δ
unittests	65.03% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[sashashura]

@mgxd @effigies could you please review?

[sashashura]

An example of a workflow run with unrestricted permissions:

[effigies]

Thanks for bumping this. I've merged master in so we can see what it looks like. I'm not sure if it failed to run before or if the checks just expired.

[effigies]

LGTM. Thanks!