[StepSecurity] ci: Harden GitHub Actions (#266)

Signed-off-by: StepSecurity Bot <[email protected]>

Author: step-security-bot

.github/workflows/codeql-analysis.yml

@@ -17,6 +17,9 @@ concurrency:
   group: ${{ github.ref_name }}-codeql
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/fossa.yml

@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.ref_name }}-fossa
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   scan:
     name: Fossa

.github/workflows/labeler.yml

@@ -2,6 +2,9 @@ name: "Pull Request Labeler"
 on:
   - pull_request_target
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   triage:
     permissions: