infra/workflow: Reduce workflow permissions

By explicitly listing the permissions required in general, repositories
without restrictive permissions will only allocate the specified
permissions which is much safer than the default, fairly wide,
permissions grant.

Most workflows don't appear to need any permissions beyond
`contents: read` which is required for checkout (when a repository is
private). By specifying this permission, it tells GitHub not to include
any of its additional default permissions (when a repository is
configured permissively).

The .github/workflows/memcheck_*.sh scripts called by build_ubuntu.yml
require write permissions in order to post their output to a pull
request (as a comment).

In locked down GitHub repositories, unless a workflow/job asks for
write permissions, it will not have them and such API calls will result
in:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/issues/comments#create-an-issue-comment",
  "status": "403"
}

By specifically requesting the permissions, the workflow will continue
to work as expected.

.github/workflows/build_android.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build_x86_64:
     runs-on: ubuntu-latest

.github/workflows/build_ios.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build_x86_64:
     runs-on: macos-latest

.github/workflows/build_macos.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: macos-latest

.github/workflows/build_ubuntu.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -45,6 +48,10 @@ jobs:
 
   unit_test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
     steps:
     - uses: actions/checkout@v4
       with:

.github/workflows/build_windows.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: windows-latest