Set minimal scoped permissions to github workflows

[joycebrum]

I would like to suggest to getrandom project to set minimal scoped permissions to its github workflows (in this case the tests.yml file). This means setting the permissions as read only on the top level and any write permission be given at the run level.

This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.

This can be seen in the Action run step "Set up job" such as https://github.com/rust-random/getrandom/actions/runs/4412157849/jobs/7731354938.

Let me know if a PR is welcome with the changes mentioned above.
Thanks!

Disclosure: I'm from Google working with the OpenSSF to improve supply-chain security in many open source projects.

[newpavlov]

Yes, having minimal permissions is preferable, so feel free submit a PR!

[josephlr]

I think we should just need contents: read for our CI jobs, as they otherwise just download public data.

Unlike rust-osdev/x86_64#412, we don't currently publish via Github Actions, so we don't need contents: write