build: harden workflow permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

.github/workflows/ci.yml

@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [ bleed ]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   linux:
     name: Linux (.NET 6.0)

.github/workflows/documentation.yml

@@ -8,6 +8,9 @@ on:
         required: true
         default: 'release-xxxxxxxx'
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   wiki:
     name: Update Wiki

.github/workflows/itch.yml

@@ -8,6 +8,7 @@ on:
         required: true
         default: 'release-xxxxxxxx'
 
+permissions: {}
 jobs:
   itch:
     name: Deploy to itch.io

.github/workflows/packaging.yml

@@ -7,6 +7,9 @@ on:
     - 'playtest-*'
     - 'devtest-*'
 
+permissions:
+  contents: write  #  for release creation (svenstaro/upload-release-action)
+
 jobs:
   source:
     name: Source Tarball