[chore] add top level permissions (#38869)

Many of our github workflows dont have top level permissions, adding
them as they were added in core as well.

Signed-off-by: Alex Boten <[email protected]>

Author: codeboten

.github/workflows/build-and-test-arm.yml

@@ -12,6 +12,8 @@ env:
   # We limit cache download as a whole to 5 minutes.
   SEGMENT_DOWNLOAD_TIMEOUT_MINS: 2
 
+permissions: read-all
+
 # Do not cancel this workflow on main. See https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/16616
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

.github/workflows/build-and-test-darwin.yaml

@@ -20,6 +20,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   darwin-build-unittest-binary:
     if: ${{ github.actor != 'dependabot[bot]' && (contains(github.event.pull_request.labels.*.name, 'Run Darwin') || github.event_name == 'push' || github.event_name == 'merge_group') }}

.github/workflows/build-and-test-windows.yml

@@ -22,6 +22,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   windows-unittest-matrix:
     strategy:

.github/workflows/build-and-test.yml

@@ -6,6 +6,9 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+*"
   merge_group:
   pull_request:
+
+permissions: read-all
+
 env:
   TEST_RESULTS: testbed/tests/results/junit/results.xml
   # Make sure to exit early if cache segment download times out after 2 minutes.

.github/workflows/codeql-analysis.yml

@@ -6,6 +6,8 @@ on:
     paths-ignore:
       - "**/README.md"
 
+permissions: read-all
+
 jobs:
   CodeQL-Build:
     runs-on: macos-latest