workflows: Set top-level permissions

This changes very little but it does mean any jobs added in future have to
be explicit about the permissions they need. This also makes OSSF scorecard
happier.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Author: jku

.github/workflows/_test.yml

@@ -2,6 +2,7 @@ on:
   workflow_call:
   # Permissions inherited from caller workflow
 
+permissions: {}
 
 jobs:
   tests:

.github/workflows/ci.yml

@@ -8,8 +8,7 @@ on:
   pull_request:
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:

.github/workflows/codeql-analysis.yml

@@ -7,6 +7,9 @@ on:
     branches: [ develop ]
   schedule:
     - cron: '30 0 * * 2'
+  workflow_dispatch:
+
+permissions: {}
 
 jobs:
   analyze:

.github/workflows/specification-version-check.yml

@@ -2,7 +2,11 @@ on:
   schedule:
     - cron: "0 13 * * *"
   workflow_dispatch:
+
 name: Specification version check
+
+permissions: {}
+
 jobs:
   # Get the version of the TUF specification the project states it supports
   get-supported-tuf-version: