GHA CI: reduce permission scope

.github/workflows/ci_macos.yaml

@@ -2,8 +2,7 @@ name: CI - macOS
 
 on: [pull_request, push]
 
-permissions:
-  actions: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Build
     runs-on: macos-latest
+    permissions:
+      actions: write
 
     strategy:
       fail-fast: false

.github/workflows/ci_ubuntu.yaml

@@ -2,9 +2,7 @@ name: CI - Ubuntu
 
 on: [pull_request, push]
 
-permissions:
-  actions: write
-  security-events: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -14,6 +12,9 @@ jobs:
   ci:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      security-events: write
 
     strategy:
       fail-fast: false

.github/workflows/ci_webui.yaml

@@ -2,8 +2,7 @@ name: CI - WebUI
 
 on: [pull_request, push]
 
-permissions:
-  security-events: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Check
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
 
     defaults:
       run:

.github/workflows/ci_windows.yaml

@@ -2,8 +2,7 @@ name: CI - Windows
 
 on: [pull_request, push]
 
-permissions:
-  actions: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Build
     runs-on: windows-latest
+    permissions:
+      actions: write
 
     strategy:
       fail-fast: false

.github/workflows/stale_bot.yaml

@@ -4,12 +4,13 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Mark and close stale PRs
         uses: actions/stale@v9