Simplify workflow permissions to minimal required

Set minimal permissions for all workflows:
- go.yml and golangci-lint.yml: contents:read only
- codeql-analysis.yml: contents:read and security-events:write
  (needed to upload security scan results)

This provides the most restrictive security posture while allowing
all workflows to function properly.

Author: oschwald

.github/workflows/codeql-analysis.yml

@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '0 13 * * 4'
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   CodeQL-Build:
 

.github/workflows/go.yml

@@ -2,6 +2,9 @@ name: Go
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
 
   build:

.github/workflows/golangci-lint.yml

@@ -2,6 +2,9 @@ name: golangci-lint
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   golangci:
     name: lint