ci: declare workflow-level contents: read on 7 CI/lint workflows

Rebased onto current main to resolve conflicts. Pins GITHUB_TOKEN to contents: read on workflows that don't write to the GitHub API.

Post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   test-ubuntu-latest:

.github/workflows/coverity.yml

@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   coverity:
     if: github.repository == 'redis/redis'

.github/workflows/external.yml

@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-external-standalone:
     runs-on: ubuntu-latest

.github/workflows/redis_docs_sync.yaml

@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   redis_docs_sync:
     if: github.repository == 'redis/redis'

.github/workflows/reply-schemas-linter.yml

@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   reply-schemas-linter:
     runs-on: ubuntu-latest