security(workflows): only set write permissions inside jobs (#975)

Author: mtsfoni

.github/workflows/dotnetcore.yml

@@ -1,8 +1,6 @@
 # For details of what checks are run for PRs please refer below
 name: .NET Core CI
-
-permissions:
-  contents: read
+permissions: read-all
 
 on: [pull_request, workflow_dispatch]
 

.github/workflows/issue-label-triage.yml

@@ -1,14 +1,13 @@
 # https://docs.github.com/en/actions/managing-issues-and-pull-requests/adding-labels-to-issues
 
 name: Label issues
+permissions: read-all
+
 on:
   issues:
     types:
       - reopened
       - opened
-permissions:
-  contents: read
-
 jobs:
   label_issues:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -18,8 +18,7 @@
 # make sure the correct branch is selected. It will default to the default
 # branch.
 name: Release
-permissions:
-  contents: write
+permissions: read-all
 
 on:
   workflow_dispatch
@@ -28,6 +27,8 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0