Restrict permissions of GITHUB_TOKEN in workflows

`GITHUB_TOKEN` is an access token provided automatically by GitHub Actions. By default, this token has write permissions
except when the workflow is triggered by events generated by a PR from a fork.

This level of privilege is not needed by any of the workflows, which violates the security principle of least privilege.

For this reason, GitHub Actions now allows fine grained control of the permissions provided to the token, which are used
here to configure the workflows for only the permissions they require. The automatic permissions downgrade from write to
read for workflows triggered by events generated by a PR from a fork is unaffected.

Even when all permissions are withheld (permissions: {}`), the token still provides the authenticated API request rate
limiting allowance, which is the most common use of the token in these workflows.

Read permissions are required in the "contents" scope in order to checkout private repositories. Even though those
permissions are not required for public repositories, the workflow templates are intended to be applicable in public and
private repositories both and so a small excess in permissions was chosen over a large increase in maintenance effort to
have an extra version of each of the workflows for use in private repositories.

Author: per1234

.github/workflows/check-configs.yml

@@ -24,6 +24,8 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions: {}
+
 jobs:
   validate:
     name: ${{ matrix.configuration.path }}

.github/workflows/check-general-formatting.yml

@@ -11,6 +11,9 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

.github/workflows/check-javascript-npm.yml

@@ -18,6 +18,9 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

.github/workflows/check-json.yml

@@ -19,6 +19,9 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

.github/workflows/check-markdown.yml

@@ -27,6 +27,9 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/check-npm.yml

@@ -23,6 +23,9 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest

.github/workflows/check-prettier-formatting.yml

@@ -199,6 +199,9 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

.github/workflows/check-shell.yml

@@ -21,6 +21,9 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/check-sync.yml

@@ -13,6 +13,8 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   check-sync:
     runs-on: ubuntu-latest

.github/workflows/check-taskfiles.yml

@@ -17,6 +17,9 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate ${{ matrix.file }}