Description
I noticed that some of your GitHub Workflows don't specify their permissions (notably ci-v2.yml and ci.yml) and their privileges are being determined by GitHub's defaults. I'd like to recommend that you always set minimal permissions to your workflows as it secures you against erroneous or malicious behaviours from external jobs you call from them. It's specially important for the case they get compromised, for example, and it's a recommendation by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
Since it's a very simple change, I'll raise a PR following this issue and it'll be easier to evaluate the modifications =)
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊