ci: Harden GitHub Actions (#527)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

.github/workflows/codeql-analysis.yml

@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '27 10 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/gen-docs.yml

@@ -7,8 +7,13 @@ on:
     paths:
       - 'src/Microsoft.ComponentDetection.Orchestrator/ArgumentSets/*.cs'
 
+permissions:
+  contents: read
+
 jobs:
   gen-docs:
+    permissions:
+      contents: write  # for stefanzweifel/git-auto-commit-action to push code in repo
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

.github/workflows/release-drafter.yml

@@ -6,6 +6,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
     permissions:

.github/workflows/snapshot-publish.yml

@@ -6,6 +6,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}