Explicit workflow permissions

.github/workflows/build.yml

@@ -5,6 +5,19 @@ on:
       - main
   pull_request:
 
+permissions:
+  actions: write
+  checks: write
+  contents: read
+  deployments: read
+  issues: write
+  discussions: read
+  packages: none
+  pages: read
+  pull-requests: write
+  security-events: write
+  statuses: write
+
 jobs:
   build_only:
     runs-on: ${{ matrix.os }}

.github/workflows/metrics.yml

@@ -4,6 +4,19 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  actions: write
+  checks: read
+  contents: read
+  deployments: read
+  issues: read
+  discussions: read
+  packages: none
+  pages: read
+  pull-requests: read
+  security-events: read
+  statuses: write
+
 jobs:
   recordMetrics:
     runs-on: ubuntu-latest

.github/workflows/publish.yml

@@ -2,6 +2,20 @@ name: Publish to Nexus
 on:
   release:
     types: [published]
+
+permissions:
+  actions: write
+  checks: write
+  contents: write
+  deployments: read
+  issues: write
+  discussions: write
+  packages: write
+  pages: write
+  pull-requests: write
+  security-events: write
+  statuses: write
+
 jobs:
   build:
     runs-on: ubuntu-latest