Explicitly specify permissions needed by workflows

This reduces the default permissions for these workflows, see
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

.github/workflows/check-pull-request-no-dist-change.yml

@@ -8,6 +8,9 @@ on:
     paths:
       - 'action/index.js'
 
+permissions:
+  contents: read
+
 jobs:
   check-no-dist-update:
     name: Check no dist update

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ on: # rebuild any PRs and main branch changes
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+
 jobs:
   build: # make sure build/ci work properly
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -9,6 +9,11 @@ on:
   schedule:
     - cron: '24 4 * * 6'
 
+permissions:
+  contents: read
+  # Allow uploading CodeQL results
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/update-checksums-file.yml

@@ -7,6 +7,12 @@ on:
   # Support running workflow manually
   workflow_dispatch:
 
+permissions:
+  # Allow creation of branch for checksums file update
+  contents: write
+  # Allow creation of pull request
+  pull-requests: write
+
 jobs:
   update-checksums:
     name: Update checksums

.github/workflows/update-dist.yml

@@ -4,14 +4,14 @@ on:
     branches:
       - main
 
+permissions:
+  # Allow the workflow to push the changed file to the repository
+  contents: write
+
 jobs:
   update-dist:
     runs-on: ubuntu-latest
 
-    permissions:
-      # Allow the job to push the changed file to the repository
-      contents: write
-
     steps:
     - uses: actions/checkout@v4