ci: add explicit permissions to address CodeQL findings

Author: masutaka

.github/workflows/release.yml

@@ -21,6 +21,8 @@ jobs:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - uses: actions/create-github-app-token@v2
         id: app-token
@@ -74,6 +76,8 @@ jobs:
     if: failure()
     needs: [release]
     uses: masutaka/actions/.github/workflows/pushover.yml@main
+    permissions:
+      contents: read
     secrets:
       PUSHOVER_API_KEY: ${{ secrets.PUSHOVER_API_KEY }}
       PUSHOVER_USER_KEY: ${{ secrets.PUSHOVER_USER_KEY }}

.github/workflows/schedule.yml

@@ -22,6 +22,8 @@ jobs:
     if: github.ref_name == github.event.repository.default_branch && failure()
     needs: codeql
     uses: masutaka/actions/.github/workflows/pushover.yml@main
+    permissions:
+      contents: read
     secrets:
       PUSHOVER_API_KEY: ${{ secrets.PUSHOVER_API_KEY }}
       PUSHOVER_USER_KEY: ${{ secrets.PUSHOVER_USER_KEY }}

.github/workflows/test.yml

@@ -33,6 +33,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Setup Go environment
@@ -45,6 +47,8 @@ jobs:
     if: github.ref_name == github.event.repository.default_branch && failure()
     needs: [actionlint, codeql, test]
     uses: masutaka/actions/.github/workflows/pushover.yml@main
+    permissions:
+      contents: read
     secrets:
       PUSHOVER_API_KEY: ${{ secrets.PUSHOVER_API_KEY }}
       PUSHOVER_USER_KEY: ${{ secrets.PUSHOVER_USER_KEY }}