[build, test] Harden workflows' security (#5410)

Authored by: sashashura

.github/workflows/build.yml

@@ -1,8 +1,12 @@
 name: Build
 on: workflow_dispatch
+permissions:
+  contents: read
 
 jobs:
   prepare:
+    permissions:
+      contents: write  # for push_release
     runs-on: ubuntu-latest
     outputs:
       version_suffix: ${{ steps.version_suffix.outputs.version_suffix }}
@@ -69,9 +73,6 @@ jobs:
           python pyinst.py --onedir
           (cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .)
           python pyinst.py
-    - name: Get SHA2-SUMS
-      id: get_sha
-      run: |
 
     - name: Upload artifacts
       uses: actions/upload-artifact@v3
@@ -248,6 +249,8 @@ jobs:
 
 
   publish_release:
+    permissions:
+      contents: write  # for action-gh-release
     runs-on: ubuntu-latest
     needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy]
 

.github/workflows/core.yml

@@ -1,5 +1,8 @@
 name: Core Tests
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Core Tests

.github/workflows/download.yml

@@ -1,5 +1,8 @@
 name: Download Tests
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
   quick:
     name: Quick Download Tests

.github/workflows/quick-test.yml

@@ -1,5 +1,8 @@
 name: Quick Test
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Core Test