Build: Harden GitHub Actions workflow permissions

[d4rken]

Summary

• Add explicit permissions: contents: read to all three workflows — previously they inherited the repo default (read+write on all scopes)
• Set persist-credentials: false on all actions/checkout steps — no workflow needs git credentials after checkout
• The release workflow's job-level permissions: contents: write is preserved for creating GitHub releases

Why

Without an explicit permissions block, GITHUB_TOKEN gets read+write access to all scopes (contents, packages, issues, pull-requests, deployments). CI workflows that only build and test should not have write access. Similarly, actions/checkout persists credentials in .git/config by default, leaving them accessible to all subsequent steps in the job.

[TotallyAvailable]

• The same applies to 'Secret Source: Actions' btw. 🤯

• don't forget to "backport" that stuff to archived/less active repos

• SHA pinning actions is not "foolproof". <no emoji available for that one>

• "distributionSha256Sum=" in the gradle-wrapper.properties

• <****_*******_target> might've had at some point good intentions - backfired spectacularly.

• At least 'include-hidden-files' doesn't need to be actively changed anymore. 👍

• SECURITY.md

• scheduled workflows might be a rather bad choice in terms of risk vs usefulness.

• Immutable releases might be worth considering if they fit into your personal workflow (pointed out for the unfortunate automatic association with GitHub workflows...)

• Some form of attestation

• Consider the inclusion/suggestion of 'CODEOWNERS' for any multi-dev project.

• Do not rely on the trustworthy-ness of (posted) checksum integrity through release notes or assets.

• Be aware of what a chosen runner image ships with

Thanks for caring and looking further into it btw.