workflows: restrict GITHUB_TOKEN permissions to contents: read

Add explicit top-level permissions block to all GitHub Actions workflow
files, limiting the GITHUB_TOKEN to the minimum required scope: read.

Why this is recommended:
GitHub Actions grants the GITHUB_TOKEN broad default permissions
(read/write on most scopes) unless explicitly restricted. The GitHub
security hardening guide and CodeQL
(actions/missing-workflow-permissions rule) recommend always declaring
an explicit permissions block to enforce the principle of least
privilege.

Threats prevented:
- Compromised or malicious third-party actions (supply chain attacks)
  cannot use the implicit GITHUB_TOKEN to write to the repository,
  create releases, modify issues/PRs, upload packages, or affect
  deployments - even if such an action is injected into the workflow.
- If a vulnerability in a workflow step allows code execution (e.g. via
  script injection through PR title/body), the attacker's ability to
  abuse the token is limited to read-only repository access.
- Reduces blast radius of any accidental or intentional misuse of the
  token across all CI jobs.

Affected workflows: build_all, codestyle, daily-tests, ipc_fuzzer,
llext, pull-request, repro-build, rimage, sof-docs, sparse-zephyr,
testbench, tools, unit-tests, zephyr.

Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>

Author: tmleman

.github/workflows/build_all.yml

@@ -8,6 +8,9 @@ name: Build test all components
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
 
   stub-build:

.github/workflows/codestyle.yml

@@ -14,6 +14,9 @@ name: codestyle
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_call, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   checkpatch:
     runs-on: ubuntu-24.04

.github/workflows/daily-tests.yml

@@ -13,6 +13,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
 
   # Keep in .yml alphabetical order

.github/workflows/ipc_fuzzer.yml

@@ -22,6 +22,9 @@ on:
   pull_request:
   # TODO: can we provide a default inputs here too?
 
+permissions:
+  contents: read
+
 jobs:
 
   simple-IPC-fuzz_sh:

.github/workflows/llext.yml

@@ -11,6 +11,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-24.04

.github/workflows/pull-request.yml

@@ -31,6 +31,9 @@ on:
   # Allows to call this forkflow from other workflows
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
 
   doxygen:

.github/workflows/repro-build.yml

@@ -14,6 +14,9 @@ name: Reproducible builds
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
   main:
     runs-on: ubuntu-24.04

.github/workflows/rimage.yml

@@ -22,6 +22,9 @@ on:
     paths:
       - tools/rimage/**
 
+permissions:
+  contents: read
+
 jobs:
 
   # Basic build test

.github/workflows/sof-docs.yml

@@ -17,6 +17,9 @@ on:
   # Allows to call this forkflow from other workflows
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
 
   # This is unfortunately a mix of sof-docs/.github/ + pull-request.yml#doxygen

.github/workflows/sparse-zephyr.yml

@@ -11,6 +11,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   # As of sparse commit ce1a6720f69e / Sept 2022, the exit status of
   # sparse.c is an unusable mess and always zero in practice. Moreover