Set the workflow permissions

To pass the zizmor CI check and further secure this repos actions.

Author: pgjones

.github/workflows/ci.yml

@@ -6,11 +6,16 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   tox:
     name: ${{ matrix.name }}
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     container: python:${{ matrix.python }}
 
     strategy:
@@ -36,12 +41,18 @@ jobs:
     name: Zizmor
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: pgjones/actions/zizmor@dbbee601c084d000c4fc711d4b27cb306e15ead1 # v1
 
   compliance:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/publish.yml

@@ -3,6 +3,8 @@ on:
   push:
     tags:
       - '*'
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest