[StepSecurity] ci: Harden GitHub Actions (open-telemetry#2803)

* [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <[email protected]>

* Update .github/workflows/spell-check.yml

---------

Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: Trask Stalnaker <[email protected]>

Author: 2 people

.github/workflows/issue-management-stale-action.yml

@@ -5,8 +5,14 @@ on:
     # Hourly at minute 23
     - cron: "23 * * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0

.github/workflows/reusable-markdown-link-check.yml

@@ -3,6 +3,9 @@ name: Reusable - Markdown link check
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest

.github/workflows/spell-check.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   spelling-check:
     runs-on: ubuntu-latest

.github/workflows/table-check.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   table-check:
     runs-on: ubuntu-latest

.github/workflows/toc-check.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   toc-check:
     runs-on: ubuntu-latest