Harden workflows by limiting default permissions

.github/workflows/build.yml

@@ -6,6 +6,9 @@ name: Build
 # Run this Build for all pushes / PRs to current branch
 on: [push, pull_request]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   tests:
     runs-on: ubuntu-latest

.github/workflows/docker.yml

@@ -12,6 +12,9 @@ on:
       - 'dspace-**'
   pull_request:
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   docker:
     # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace-angular'

.github/workflows/issue_opened.yml

@@ -5,6 +5,7 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
 jobs:
   automation:
     runs-on: ubuntu-latest

.github/workflows/label_merge_conflicts.yml

@@ -11,13 +11,14 @@ on:
   pull_request_target:
     types: [ synchronize ]
 
+permissions: {}
+
 jobs:
   triage:
     # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace-angular'
     if: github.repository == 'dspace/dspace-angular'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
       pull-requests: write
     steps:
       # See: https://github.com/prince-chrismc/label-merge-conflicts-action