GitHub Workflows security hardening (#8267)

Signed-off-by: Alex <aleksandrosansan@gmail.com>

.github/workflows/jvm_tests.yml

@@ -2,6 +2,9 @@ name: XGBoost-JVM-Tests
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test-with-jvm:
     name: Test JVM on OS ${{ matrix.os }}

.github/workflows/main.yml

@@ -6,6 +6,9 @@ name: XGBoost-CI
 # events but only for the master branch
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   gtest-cpu:

.github/workflows/python_tests.yml

@@ -2,6 +2,9 @@ name: XGBoost-Python-Tests
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   python-mypy-lint:
     runs-on: ubuntu-latest

.github/workflows/python_wheels.yml

@@ -2,6 +2,9 @@ name: XGBoost-Python-Wheels
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   python-wheels:
     name: Build wheel for ${{ matrix.platform_id }}

.github/workflows/r_nold.yml

@@ -10,6 +10,9 @@ on:
 env:
   R_PACKAGES: c('XML', 'igraph', 'data.table', 'ggplot2', 'DiagrammeR', 'Ckmeans.1d.dp', 'vcd', 'testthat', 'lintr', 'knitr', 'rmarkdown', 'e1071', 'cplm', 'devtools', 'float', 'titanic')
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test-R-noLD:
     if: github.event.comment.body == '/gha run r-nold-test' && contains('OWNER,MEMBER,COLLABORATOR', github.event.comment.author_association)

.github/workflows/r_tests.yml

@@ -6,6 +6,9 @@ env:
   R_PACKAGES: c('XML', 'data.table', 'ggplot2', 'DiagrammeR', 'Ckmeans.1d.dp', 'vcd', 'testthat', 'lintr', 'knitr', 'rmarkdown', 'e1071', 'cplm', 'devtools', 'float', 'titanic')
   GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   lintr:
     runs-on: ${{ matrix.config.os }}