Set top-level read-only workflow permissions

[pnacht]

Fixes #6774.

As mentioned in the issue, this PR adds top-level read-only permissions to coverage.yml, ensuring it can't be used for supply-chain attacks on the repo.

I've also made a few similar changes to the other workflows, mostly just setting write permissions at job-level instead of top-level. This serves to future-proof the workflows in case new jobs (that don't need those permissions) are added to the workflows. However, this change has no immediate impact to those workflows' security: the tokens effectively used in those jobs are unchanged.

RELEASE NOTES: None

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: pnacht / name: Pedro Kaj Kjellerup Nacht (4b36065, 8cb6438)

[codecov]

Codecov Report

Merging #6775 (8cb6438) into master (482de22) will decrease coverage by 0.10%.
The diff coverage is n/a.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6775      +/-   ##
==========================================
- Coverage   83.40%   83.31%   -0.10%     
==========================================
  Files         285      285              
  Lines       30966    30966              
==========================================
- Hits        25828    25798      -30     
- Misses       4068     4087      +19     
- Partials     1070     1081      +11     

see 21 files with indirect coverage changes

[arvindbr8]

@pnacht -- Thanks for the PR. Also thanks for bringing this to our notice.

The diff looks good to me, however you might have to get your account auth'd by a signed CLA. Just follow the steps here.

[arvindbr8]

LGTM.

---

@dfawley: Could you PTAL as well?

[dfawley]

Thank you for the fix!