ci: Harden CI with 'contents: read' default permissions

Author: Batalex

.github/workflows/ci.yaml

@@ -1,11 +1,14 @@
 name: Build snap and run tests
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
-  workflow_call:
-    outputs:
-      snap-file:
-        description: "The snap output of build process."
-        value: ${{ jobs.build.outputs.snap-file }}
+  pull_request:
+
+permissions:
+  contents: read
 
 jobs:
   build:

.github/workflows/on_pull_request.yaml

@@ -5,6 +5,9 @@ on:
     branches:
       - 3.4/*
 
+permissions:
+  contents: read
+
 jobs:
   release_checks:
     runs-on: ubuntu-22.04
@@ -51,5 +54,4 @@ jobs:
     secrets:
       snap-store-token: ${{ secrets.SNAP_STORE_TOKEN }}
     permissions:
-      actions: read  # Needed for GitHub API call to get workflow version
       contents: write # Needed to create GitHub release