ci: update workflow permissions

Signed-off-by: Matthew Penner <me@matthewp.io>

Author: matthewpi

.github/workflows/docker.yaml

@@ -14,6 +14,9 @@ jobs:
     runs-on: ubuntu-22.04
     # Always run against a tag, even if the commit into the tag has [docker skip] within the commit message.
     if: "!contains(github.ref, 'develop') || (!contains(github.event.head_commit.message, 'skip docker') && !contains(github.event.head_commit.message, 'docker skip'))"
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Code checkout
         uses: actions/checkout@v4

.github/workflows/push.yaml

@@ -12,6 +12,8 @@ jobs:
   build-and-test:
     name: Build and Test
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:

.github/workflows/release.yaml

@@ -9,6 +9,8 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write # write is required to create releases and push.
 
     steps:
       - name: Code Checkout