ci: tighten several GHActions a bit more

with https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions

.github/workflows/build_test.yml

@@ -12,6 +12,8 @@ on:
       - 'src/**'
       - 'test/fuzz/**'
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-20.04

.github/workflows/cifuzz.yml

@@ -4,6 +4,9 @@
 # See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/
 
 name: CIFuzz
+
+permissions: read-all
+
 on:
   pull_request:
     paths:

.github/workflows/coverity.yml

@@ -9,6 +9,8 @@ on:
     # Run Coverity daily at midnight
     - cron:  '0 0 * * *'
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-20.04

.github/workflows/labeler.yml

@@ -7,6 +7,10 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   triage:
     runs-on: ubuntu-latest

.github/workflows/linter.yml

@@ -10,6 +10,8 @@ on:
       - main
       - v[0-9]+-stable
 
+permissions: read-all
+
 jobs:
   build:
     name: Lint Code Base

.github/workflows/mkosi.yml

@@ -14,6 +14,8 @@ on:
       - main
       - v[0-9]+-stable
 
+permissions: read-all
+
 jobs:
   ci:
     runs-on: ubuntu-20.04

.github/workflows/unit_tests.yml

@@ -9,6 +9,8 @@ on:
       - main
       - v[0-9]+-stable
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-20.04