[CI] Update workflows' permissions to least privilege

Author: lukaszstolarczuk

.github/workflows/detect_changes.yml

@@ -12,6 +12,7 @@ on:
 
 permissions:
   contents: read
+  packages: read
 
 jobs:
   DetectChanges:

.github/workflows/nightly.yml

@@ -9,6 +9,7 @@ on:
 
 permissions:
   contents: read
+  pull-requests: read
 
 env:
   BUILD_DIR : "${{github.workspace}}/build"

.github/workflows/reusable_benchmarks.yml

@@ -31,6 +31,7 @@ on:
 
 permissions:
   contents: read
+  pull-requests: read
 
 env:
   UMF_DIR: "${{github.workspace}}/umf-repo"

.github/workflows/reusable_codeql.yml

@@ -5,6 +5,7 @@ on: workflow_call
 
 permissions:
   contents: read
+  security-events: read
 
 env:
   BUILD_DIR : "${{github.workspace}}/build"

.github/workflows/reusable_dockers_build.yml

@@ -6,8 +6,8 @@ on:
   workflow_dispatch:
 
 permissions:
-  packages: write
   contents: read
+  packages: read
 
 jobs: 
   build-dockers:
@@ -17,6 +17,9 @@ jobs:
         os: [ubuntu-20.04, ubuntu-22.04, ubuntu-24.04]
     env:
       IMG: ghcr.io/bb-ur/umf-${{ matrix.os }}:latest
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - name: Checkout repository

.github/workflows/reusable_trivy.yml

@@ -5,6 +5,7 @@ on: workflow_call
 
 permissions:
   contents: read
+  security-events: read
 
 jobs:
   trivy:

.github/workflows/scorecard.yml

@@ -12,7 +12,9 @@ on:
   push:
     branches: [ "main" ]
 
-permissions: read-all
+permissions:
+  contents: read
+  security-events: read
 
 jobs:
   analyze: