ci: fix overly broad permissions

.github/workflows/build.yml

@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/bump_oxlint.yml

@@ -10,9 +10,13 @@ on:
 env:
   OXLINT_PACKAGE_NAME: oxlint
 
+permissions: {}
+
 jobs:
   bump:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:

.github/workflows/ci_security.yml

@@ -13,6 +13,8 @@ on:
     paths:
       - '.github/workflows/**'
 
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor

.github/workflows/format.yml

@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   format:
     runs-on: ubuntu-latest

.github/workflows/generate.yml

@@ -17,6 +17,8 @@ on:
       - 'scripts/**'
       - '.github/workflows/generate.yml'
 
+permissions: {}
+
 jobs:
   generate:
     runs-on: ubuntu-latest

.github/workflows/lint.yml

@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -4,6 +4,8 @@ on:
   push:
     branches: [main]
 
+permissions: {}
+
 jobs:
   release:
     if: startsWith(github.event.head_commit.message, 'release')

.github/workflows/test.yml

@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest

.github/workflows/type-check.yml

@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   type-check:
     runs-on: ubuntu-latest