fix(ci): GitHub Workflows security hardening (#7156)

.github/workflows/label-manager.yml

@@ -1,7 +1,12 @@
 on: issues
 name: Create Default Labels
+permissions: {}
 jobs:
   labels:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      issues: write # to add label to issues 
+
     name: DefaultLabelsActions
     runs-on: ubuntu-latest
     steps:

.github/workflows/pr-release.yml

@@ -8,8 +8,13 @@ on:
 env:
   HUSKY: 0 # Bypass husky commit hook for CI
 
+permissions: {}
 jobs:
   pr-release:
+    permissions:
+      contents: write # to create release (changesets/action)
+      pull-requests: write # to create pull request (changesets/action)
+
     timeout-minutes: 15
     runs-on: ubuntu-latest
     steps:

.github/workflows/test.yaml

@@ -14,6 +14,9 @@ on:
         description: Force rebuild docker images for CI tests
         required: false
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test-linux:
     runs-on: ubuntu-20.04