Add missing GitHub action explicit permissions

[TimoPtr]

Summary

Fix missing permission properties reported by CodeQL on its first run. The permission needs to be explicit and not to widely open at the workflow level so that we can control during review process what we are exposing. It is also helpful to limit what can a third party action can do in our CI env.

Checklist

• New or updated tests have been added to cover the changes following the testing guidelines.
• The code follows the project's code style and best_practices.
• The changes have been thoroughly tested, and edge cases have been considered.
• Changes are backward compatible whenever feasible. Any breaking changes are documented in the changelog for users and/or in the code for developers depending on the relevance.

[jpelgrom]

Took me a while to find the issues you were referring to, they're locked behind a login and permissions.

Good idea to reduce where possible, but hard to test properly before merging. I can think of two potential issues after reviewing the changes, but am not 100% sure.

[jpelgrom]

Suggested change

	permissions:
	actions: write
	contents: write
	permissions:
	actions: write
	contents: write
	pull_requests: write

It'll also need permissions to create a pull request

[TimoPtr]

I'm not sure we need this one. The pull_requedt permission from the documentation is for modifying an existing pull request like adding a label https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-pull-requests

I think I'll have to test ...

[jpelgrom]

On that page it says that POST /repos/{owner}/{repo}/pulls is part of pull_requests, suggesting to me that we do need it. But I'm also willing to test without, not a major issue if this workflow fails once because of missing permissions.

[jpelgrom]

Doesn't it need permission to create inline comments/issues for lint issues that were found?

[TimoPtr]

Well I tried to test and I didn't manage to get any annotations to be displayed... I tried for yaml I should probably try for ktlint.
With the current permission the annotations are in the checks.

There is something I don't fully understand on the checks yet. I also looked in the documentation of the permissions and I didn't find things related to annotations.