[ci] Explicitly declare permissions and limit credentials (#15324)

Authored by: bashonly

.github/workflows/test-workflows.yml

@@ -14,8 +14,9 @@ on:
       - devscripts/setup_variables.py
       - devscripts/setup_variables_tests.py
       - devscripts/utils.py
-permissions:
-  contents: read
+
+permissions: {}
+
 env:
   ACTIONLINT_VERSION: "1.7.9"
   ACTIONLINT_SHA256SUM: 233b280d05e100837f4af1433c7b40a5dcb306e3aa68fb4f17f8a7f45a7df7b4
@@ -24,9 +25,13 @@ env:
 jobs:
   check:
     name: Check workflows
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: "3.10"  # Keep this in sync with release.yml's prepare job