Restrict CI workflow permissions to readonly contents

.github/workflows/ci.yaml

@@ -1,11 +1,14 @@
 name: ci
 
 on:
-    push:
+  push:
-        branches: [ "master" ]
+    branches: [ "master" ]
-    pull_request:
+  pull_request:
-        branches: [ "master" ]
+    branches: [ "master" ]
-    workflow_call:
+  workflow_call:
+
+permissions:
+  contents: read
 
 jobs:
   build: