feat: add permissions section to workflows for least-privilege security

Author: eloi010

.github/workflows/check.yml

@@ -2,9 +2,13 @@ name: Check compilation
 
 on: [push, pull_request]
 
+permissions: {} # lock everything by default (least-privilege)
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - name: Checkout repository

.github/workflows/security-code-scanner.yml

@@ -15,6 +15,8 @@ on:
         required: false
   workflow_dispatch:
 
+permissions: {} # lock everything by default (least-privilege)
+
 jobs:
   security-scan:
     uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2