ci: specify permissions that workflows pass to jobs/actions (#201)

Signed-off-by: Charles Moore <[email protected]>

Author: moorec-aws

.github/workflows/codeql.yml

@@ -12,3 +12,5 @@ jobs:
   Analysis:
     name: Analysis
     uses: OpenJobDescription/.github/.github/workflows/reusable_codeql.yml@mainline
+    permissions:
+      security-events: write

.github/workflows/release_bump.yml

@@ -20,6 +20,9 @@ jobs:
   Bump:
     name: Version Bump
     uses: OpenJobDescription/.github/.github/workflows/reusable_bump.yml@mainline
+    permissions:
+      contents: write
+      pull-requests: write
     secrets: inherit
     with:
       force_version_bump: ${{ inputs.force_version_bump }}

.github/workflows/responded.yml

@@ -6,3 +6,6 @@ on:
 jobs:
   check-for-response:
     uses: OpenJobDescription/.github/.github/workflows/reusable_responded.yml@mainline
+    permissions:
+      issues: write
+      pull-requests: write

.github/workflows/stale_prs_and_issues.yml

@@ -7,3 +7,7 @@ on:
 jobs:
   check-for-stales:
     uses: OpenJobDescription/.github/.github/workflows/reusable_stale_prs_and_issues.yml@mainline
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write