chore: : scope down GitHub Token permissions (#786)

* ci: scope down permissions for repo-sync.yml

* ci: scope down permissions for daily_ci.yml

* ci: scope down permissions for ci_test-vector-handler.yaml

* ci: scope down permissions for ci_decrypt-oracle.yaml

* ci: scope down permissions for ci_tests.yaml

* ci: scope down permissions for ci_static-analysis.yaml

---------

Co-authored-by: Adnan Khan <AdnaneKhan@users.noreply.github.com>

Author: seebees

.github/workflows/ci_decrypt-oracle.yaml

@@ -3,6 +3,9 @@ name: Continuous Integration tests for the decrypt oracle
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest

.github/workflows/ci_static-analysis.yaml

@@ -3,6 +3,9 @@ name: Static analysis checks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     runs-on: ubuntu-latest

.github/workflows/ci_test-vector-handler.yaml

@@ -9,6 +9,9 @@ on:
       INTEG_AWS_SECRET_ACCESS_KEY:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     # Leaving this defined but disabled

.github/workflows/ci_tests.yaml

@@ -13,6 +13,9 @@ env:
   AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: |
     arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ${{ matrix.os }}

.github/workflows/daily_ci.yml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "00 15 * * 1-5"
 
+permissions:
+  contents: read
+
 jobs:
   codebuild_batch:
     # Don't run the cron builds on forks

.github/workflows/repo-sync.yml

@@ -3,6 +3,10 @@ name: Repo Sync
 on:
   workflow_dispatch:     # allows triggering this manually through the Actions UI
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   repo-sync:
     name: Repo Sync