RFR: 8293368: GitHub Workflows security hardening

[Kevin Rushforth]

On Thu, 1 Sep 2022 20:37:27 GMT, Alex <duke at openjdk.org> wrote:

> This PR adds explicit [permissions section](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) to workflows. This is a security best practice because by default workflows run with [extended set of permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) (except from `on: pull_request` [from external forks](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an [injection](https://securitylab.github.com/research/github-actions-untrusted-input/) or compromised third party tool or action) is restricted.
> It is recommended to have [most strict permissions on the top level](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and grant write permissions on [job level](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) case by case.

@sashashura You need to enable running GHA workflows in your personal fork of the `jfx` repo. Given that you are changing the GHA workflow, we will need to see the results from your run in this PR.

This seems worth evaluating. Given that we don't enable workflows in any of the repos of the openjdk organization, the impact of not doing this is limited (the workflow only runs in the context of the user pushing to their own branch), but as long as it doesn't preclude doing anything legitimate, it might be a good idea. I filed a new JBS issue -- [JDK-8293368](https://bugs.openjdk.org/browse/JDK-8293368) -- for this.

@sashashura Please change the title of this PR to:


8293368: GitHub Workflows security hardening

-------------

Changes requested by kcr (Lead).

PR: https://git.openjdk.org/jfx/pull/889