GitHub Workflows security hardening

[sashashura]

Pull Request check-list

Please make sure to review and check all of these items:

• Does $ tox pass with this change (including linting)?
• Do the CI tests pass with this change (enable it first in your forked repo and wait for the github action build to finish)?
• Is the new or changed code fully tested?
• Is a documentation update included (if this change modifies existing APIs, or introduces new ones)?
• Is there an example added to the examples folder (if applicable)?
• Was the change added to CHANGES file?

NOTE: these things are not required to open a PR and can be done
afterwards / while the PR is open.

Description of change

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

[chayim]

Does the drafter need this permission? We don't use it to add permissions, rather rely on the permissions set in the PR. WDYT?

[sashashura]

These are the permissions the author documented as needed in the readme https://github.com/release-drafter/release-drafter/blob/6df64e4ba4842c203c604c1f45246c5863410adb/README.md?plain=1#L35-L39
Note, that pull-requests permission can be read-only if autolabeler is not used.

We don't use it to add permissions, rather rely on the permissions set in the PR.

I'm not sure I understand the question. The lines do not add new permissions, the default ones are write to all. The lines remove everything not explicitly mentioned.

[sashashura]

I.e. the workflow runs on push, not on pull-request with write to all permissions.

[codecov-commenter]

Codecov Report

Base: 92.22% // Head: 92.21% // Decreases project coverage by -0.01% ⚠️

Coverage data is based on head (af61db2) compared to base (fa45fb1).
Patch has no changes to coverable lines.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2444      +/-   ##
==========================================
- Coverage   92.22%   92.21%   -0.02%     
==========================================
  Files         113      113              
  Lines       29239    29239              
==========================================
- Hits        26965    26962       -3     
- Misses       2274     2277       +3     

Impacted Files	Coverage Δ
redis/asyncio/connection.py	86.44% <0.00%> (-0.13%)	⬇️
tests/test_cluster.py	96.86% <0.00%> (-0.12%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.