a) add license/Copyright header, b) add missing TopLevel Security (#6184

)

### Description
<!-- - Describe your changes. -->

### Motivation and Context

The current analysis done by "openssf scorecard", which could be found
at https://api.securityscorecards.dev/projects/github.com/onnx/onnx

displays the following points:

```
    {
      "name": "Token-Permissions",
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "details": [
        "Warn: jobLevel 'contents' permission set to 'write': .github/workflows/auto_update_doc.yml:15",
        "Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:35",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:36",
        "Warn: jobLevel 'checks' permission set to 'write': .github/workflows/main.yml:204",
        "Warn: no topLevel permission defined: .github/workflows/auto_update_doc.yml:1",
        "Warn: no topLevel permission defined: .github/workflows/check_urls.yml:1",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/clang_tidy_review.yml:12",
        "Warn: topLevel 'checks' permission set to 'write': .github/workflows/clang_tidy_review_post.yml:12",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24",
        "Warn: no topLevel permission defined: .github/workflows/dco_merge_group.yml:1",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:15",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/main.yml:18",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/pages.yml:12",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release_linux_aarch64.yml:14",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release_linux_x86_64.yml:14",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release_mac.yml:18",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release_win.yml:18",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/reuse.yml:10",
        "Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:22",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/stale.yml:17",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/weekly_mac_ci.yml:18",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/win_no_exception_ci.yml:14"
      ],
      "documentation": {
        "short": "Determines if the project's workflows follow the principle of least privilege.",
        "url": "https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions"
      }
```

This pull request handles the warnings:

`"Warn: no topLevel permission defined" 
`

in order to improve security and get a higher score ;-)

This change is also recommended by:
https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions

---------

Signed-off-by: Andreas Fehlner <fehlner@arcor.de>

.github/workflows/auto_update_doc.yml

@@ -3,6 +3,9 @@ on:
   pull_request_target:
   workflow_dispatch:
 
+permissions:  # set top-level default permissions as security best practice
+  contents: read # Check https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'workflow_dispatch' }}
     cancel-in-progress: true

.github/workflows/check_urls.yml

@@ -1,3 +1,7 @@
+# Copyright (c) ONNX Project Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 name: Check URLs
 
 on:
@@ -8,6 +12,9 @@ on:
     - cron:  '0 0 1 * *'
   workflow_dispatch:
 
+permissions:  # set top-level default permissions as security best practice
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -22,7 +29,7 @@ jobs:
         file_types: .md,.py,.rst,.ipynb,.cc,.h,.cpp
         print_all: false
         timeout: 2
-        retry_count# : 2
+        retry_count : 2
         exclude_urls: https://devblogs.nvidia.com/optimizing-recurrent-neural-networks-cudnn-5/,https://media.githubusercontent.com/media/,https://download.onnxruntime.ai/onnx/models
         # exclude_patterns: https://...
         force_pass: false
@@ -34,7 +41,7 @@ jobs:
         file_types: .md,.py,.rst,.ipynb,.cc,.h,.cpp
         print_all: false
         timeout: 10
-        retry_count# : 2
+        retry_count : 2
         exclude_urls: https://github.com/onnx/onnx/blob/main/docs/Operators,https://github.com/onnx/onnx/pull/436
         force_pass: false
 
@@ -45,5 +52,5 @@ jobs:
         file_types: .md,.py,.rst
         print_all: false
         timeout: 2
-        retry_count# : 2
+        retry_count : 2
         force_pass: false

.github/workflows/dco_merge_group.yml

@@ -6,6 +6,9 @@ name: DCO
 on:
   merge_group:
 
+permissions:  # set top-level default permissions as security best practice
+  contents: read # Check https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions
+
 jobs:
   DCO:
     runs-on: ubuntu-latest

.github/workflows/pages.yml

@@ -1,3 +1,7 @@
+# Copyright (c) ONNX Project Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 name: Generate and publish ONNX docs
 
 on:

.github/workflows/release_linux_aarch64.yml

@@ -1,3 +1,7 @@
+# Copyright (c) ONNX Project Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 name: LinuxRelease_aarch64
 
 on:

.github/workflows/release_linux_x86_64.yml

@@ -1,3 +1,7 @@
+# Copyright (c) ONNX Project Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 name: LinuxRelease_x86_64
 
 on:

.github/workflows/release_mac.yml

@@ -1,3 +1,7 @@
+# Copyright (c) ONNX Project Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 name: MacRelease
 
 on: