[StepSecurity] ci: Harden GitHub Actions (#40)

.github/workflows/codeql.yml

@@ -18,13 +18,18 @@ on:
   schedule:
     - cron: '38 2 * * 3'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (C/C++)
     runs-on: windows-latest
     timeout-minutes: 360
     permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
       packages: read
 
     steps:

.github/workflows/main.yml

@@ -16,6 +16,9 @@ on:
       - '.nuget/*'
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}