[TRACKING] Set explicit permissions for GitHub workflows

[incertum]

For enhanced security, set explicit permissions for GitHub workflows. This applies to both the primary "caller" workflows and the reusable "callee" workflows they invoke (this repo hosts popular reusable "callee" workflows).

This approach aligns with security best practices, as detailed in the following documentation:

• https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes
• https://openssf.org/blog/2024/08/12/mitigating-attack-vectors-in-github-workflows/

CC @FranzBusch @ktoso @Lukasa

• benchmarks.yml
• cmake_tests.yml
• cxx_interop.yml
• macos_tests.yml
• main.yml
• pull_request_label.yml
• pull_request.yml
• release_builds.yml
• static_sdk.yml
• swift_6_language_mode.yml
• swift_load_test_matrix.yml
• swift_matrix.yml
• swift_test_matrix.yml
• unit_tests.yml
• wasm_sdk.yml

[incertum]

The following workflows are commonly reused:

cxx_interop.yml
unit_tests.yml
benchmarks.yml
release_builds.yml

[incertum]

I’ve opened PRs for the five most crucial ones for now. These PRs are related to downstream reusable workflows.

[rnro]

Thanks for filing this. I think we're fairly protected because we require approval before PRs run and don't make use of any additional secrets - but there's nothing wrong with defense in depth.