Add minimum permissions to workflows

[gabibguti]

Adding minimum permissions to workflows help keep you repository safe against supply-chain attacks. GitHub workflows are given a GITHUB_TOKEN to execute the workflow actions. But, this GITHUB_TOKEN is granted higher permissions than necessary by default, making way to supply-chain attacks. I see both workflows here, cmake.yml and makefile.yml, don't need any special permissions besides contents: read to perform actions/checkout. If you agree to add this setting, I can open a PR!

This is considered good-practice and recommended by GitHub itself and by other security tools, such as Scorecards and StepSecurity.

Additional context

About me, I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

[thijssteel]

Sounds interesting, I see no reason why we wouldn't add this setting.

If I understand these types of attacks correctly, an attacker who gains access to the CI would potentially be able to push malicious code, but if we change the token access to be read-only, that is no longer possible.

[langou]

Hi @gabibguti, yes, please propose that will be great and we will be thankful. Sincerely, @langou

[gabibguti]

@thijssteel Yes, perfect.