workflows: limit permissions to reading repo contents

Move the existing docs permissions stanza to the top of the workflow for
consistency.

4 files changed, 17 insertions, 4 deletions

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 05ede2e9..74f5e9d6 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,19 +1,21 @@
 ---
 name: Docs
+
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
 
+permissions:
+  # This workflow pushes to the gh-pages branch, so the token needs write
+  # privileges for repo contents.
+  contents: write
+
 jobs:
   docs:
     name: Build documentation
     runs-on: ubuntu-latest
-    permissions:
-      # This job pushes to the gh-pages branch, so the token needs write
-      # privileges for repo contents.
-      contents: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 399b6637..e8fcd42b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
     paths:
       - 'configure.ac'
 
+permissions:
+  contents: read
+
 jobs:
   ci-release-build:
     name: "Sanity check release commits"
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 0dce242a..ef6e38a7 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -1,11 +1,15 @@
 ---
 name: Rust
+
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   ACTIONS_LINTS_TOOLCHAIN: 1.53.0
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 45626be2..df1b1e07 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,11 +1,15 @@
 ---
 name: Tests
+
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     # Distro configuration matrix