ci: add minimum GitHub token permissions for workflows

.github/workflows/audit.yml

@@ -9,8 +9,15 @@ on:
   schedule:
     - cron: '0 2 * * *' # run at 2 AM UTC
 
+permissions:
+  contents: read
+
 jobs:
   security-audit:
+    permissions:
+      checks: write  # for actions-rs/audit-check to create check
+      contents: read  # for actions/checkout to fetch code
+      issues: write  # for actions-rs/audit-check to create issues
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, 'ci skip')"
     steps:

.github/workflows/ci.yml

@@ -27,6 +27,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   # Depends on all action sthat are required for a "successful" CI run.
   tests-pass:

.github/workflows/labeler.yml

@@ -4,8 +4,14 @@ on:
 
 # See .github/labeler.yml file
 
+permissions:
+  contents: read
+
 jobs:
   triage:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     if: github.repository_owner == 'tokio-rs'
     steps:

.github/workflows/loom.yml

@@ -13,6 +13,9 @@ env:
   # Change to specific Rust release to pin
   rust_stable: stable
 
+permissions:
+  contents: read
+
 jobs:
   loom:
     name: loom

.github/workflows/pr-audit.yml

@@ -8,6 +8,9 @@ on:
     paths:
       - '**/Cargo.toml'
 
+permissions:
+  contents: read
+
 jobs:
   security-audit:
     runs-on: ubuntu-latest

.github/workflows/stress-test.yml

@@ -11,6 +11,9 @@ env:
   # Change to specific Rust release to pin
   rust_stable: stable
 
+permissions:
+  contents: read
+
 jobs:
   stress-test:
     name: Stress Test