workflows: limit permissions to reading repo contents

Move the existing docs permissions stanza to the top of the workflow for
consistency.

.github/workflows/docs.yml

@@ -1,19 +1,21 @@
 ---
 name: Docs
+
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
 
+permissions:
+  # This workflow pushes to the gh-pages branch, so the token needs write
+  # privileges for repo contents.
+  contents: write
+
 jobs:
   docs:
     name: Build documentation
     runs-on: ubuntu-latest
-    permissions:
-      # This job pushes to the gh-pages branch, so the token needs write
-      # privileges for repo contents.
-      contents: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2

.github/workflows/release.yml

@@ -7,6 +7,9 @@ on:
     paths:
       - 'configure.ac'
 
+permissions:
+  contents: read
+
 jobs:
   ci-release-build:
     name: "Sanity check release commits"

.github/workflows/rust.yml

@@ -1,11 +1,15 @@
 ---
 name: Rust
+
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   ACTIONS_LINTS_TOOLCHAIN: 1.53.0

.github/workflows/tests.yml

@@ -1,11 +1,15 @@
 ---
 name: Tests
+
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     # Distro configuration matrix