Set explicit permissions for GitHub Actions workflows

Merging PR via automated process

Author: picatz

.github/workflows/coverage.yml

@@ -4,6 +4,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   code-coverage:
     runs-on: ubuntu-latest-16-cores

.github/workflows/gradle-wrapper-validation.yml

@@ -1,6 +1,9 @@
 name: "Validate Gradle Wrapper"
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   validation:
     name: "Gradle wrapper validation"

.github/workflows/prepare-release.yml

@@ -24,6 +24,10 @@ on:
         description: "Publish Java Artifacts"
         required: true
         default: "true"
+
+permissions:
+  contents: read
+
 env:
   INPUT_REF: ${{ github.event.inputs.ref }}
   INPUT_TAG: ${{ github.event.inputs.tag }}
@@ -32,6 +36,8 @@ jobs:
   create_draft_release:
     name: Create Github draft release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Audit gh version
         run: gh --version
@@ -133,6 +139,9 @@ jobs:
     name: Attach native executables to release
     needs: [build_native_images, create_draft_release]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - name: Audit gh version
         run: gh --version

.github/workflows/publish-snapshot.yml

@@ -22,6 +22,9 @@ on:
     tags-ignore:
       - 'v*'
 
+permissions:
+  contents: read
+
 jobs:
   publish-snapshot:
     if: github.repository == 'temporalio/sdk-java' || github.event_name == 'workflow_dispatch'