ci(security): reduce workflow permissions (#207)

By default, set all the workflow permissions to read-all, then 
provide permissions one by one to each job requiring more
permissions.

Closes #206

Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>

.github/workflows/bake.yaml

@@ -17,6 +17,8 @@ on:
         default: ""
         description: "A comma separated list of targets to build. If empty, all targets will be built."
 
+permissions: read-all
+
 jobs:
   # Start by building images for testing. We want to run security checks before pushing those to production.
   testbuild:

.github/workflows/build.yml

@@ -8,6 +8,8 @@ on:
       - Debian/ClusterImageCatalog*.yaml
   workflow_dispatch:
 
+permissions: read-all
+
 env:
   IMAGE_STAGING: "ghcr.io/${{ github.repository_owner }}/postgresql-testing"
   IMAGE_RELEASE: "ghcr.io/${{ github.repository_owner }}/postgresql"
@@ -179,6 +181,8 @@ jobs:
     name: Generate ClusterImageCatalog
     runs-on: ubuntu-24.04
     needs: build
+    permissions:
+      contents: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

.github/workflows/update.yml

@@ -9,6 +9,8 @@ defaults:
   run:
     shell: 'bash -Eeuo pipefail -x {0}'
 
+permissions: read-all
+
 jobs:
   build:
     name: Run update script