[PATCH 2/9] CI: Consistently add a top-level `permissions` definition to GHA workflows

[Tim Duesterhus]

This makes it easy to verify the permissions and to apply them to all jobs
within a given workflow.
---
 .github/workflows/aws-lc-fips.yml           | 3 +++
 .github/workflows/aws-lc.yml                | 3 +++
 .github/workflows/illumos.yml               | 5 +++--
 .github/workflows/netbsd.yml                | 5 +++--
 .github/workflows/quic-interop-aws-lc.yml   | 4 ++--
 .github/workflows/quic-interop-libressl.yml | 4 ++--
 6 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/aws-lc-fips.yml 
b/.github/workflows/aws-lc-fips.yml
index cb758c6a3..b7a5dbd3a 100644
--- a/.github/workflows/aws-lc-fips.yml
+++ b/.github/workflows/aws-lc-fips.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * 4"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: ./.github/workflows/aws-lc-template.yml
diff --git a/.github/workflows/aws-lc.yml b/.github/workflows/aws-lc.yml
index 1e4125712..bed888b91 100644
--- a/.github/workflows/aws-lc.yml
+++ b/.github/workflows/aws-lc.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * 4"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: ./.github/workflows/aws-lc-template.yml
diff --git a/.github/workflows/illumos.yml b/.github/workflows/illumos.yml
index 18284e415..7105e7459 100644
--- a/.github/workflows/illumos.yml
+++ b/.github/workflows/illumos.yml
@@ -5,12 +5,13 @@ on:
     - cron: "0 0 25 * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gcc:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 
'workflow_dispatch' }}
-    permissions:
-      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v5
diff --git a/.github/workflows/netbsd.yml b/.github/workflows/netbsd.yml
index 1c31aa968..834011eaf 100644
--- a/.github/workflows/netbsd.yml
+++ b/.github/workflows/netbsd.yml
@@ -5,12 +5,13 @@ on:
     - cron: "0 0 25 * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gcc:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 
'workflow_dispatch' }}
-    permissions:
-      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v5
diff --git a/.github/workflows/quic-interop-aws-lc.yml 
b/.github/workflows/quic-interop-aws-lc.yml
index 718ebbe8c..a6e82788d 100644
--- a/.github/workflows/quic-interop-aws-lc.yml
+++ b/.github/workflows/quic-interop-aws-lc.yml
@@ -9,13 +9,13 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions:
+  contents: read
 
 jobs:
   combined-build-and-run:
     runs-on: ubuntu-24.04
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 
'workflow_dispatch' }}
-    permissions:
-      contents: read
 
     steps:
       - uses: actions/checkout@v5
diff --git a/.github/workflows/quic-interop-libressl.yml 
b/.github/workflows/quic-interop-libressl.yml
index 6c5d23d98..c40564709 100644
--- a/.github/workflows/quic-interop-libressl.yml
+++ b/.github/workflows/quic-interop-libressl.yml
@@ -9,13 +9,13 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions:
+  contents: read
 
 jobs:
   combined-build-and-run:
     runs-on: ubuntu-24.04
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 
'workflow_dispatch' }}
-    permissions:
-      contents: read
 
     steps:
       - uses: actions/checkout@v5
-- 
2.53.0