GHA CI: use least permission level

`actions: write` is required by Chocobo1/setup-ccache-action.
`pull-requests: write` is required by actions/stale.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

.github/workflows/ci_file_health.yaml

@@ -2,6 +2,8 @@ name: CI - File health
 
 on: [pull_request, push]
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}

.github/workflows/ci_macos.yaml

@@ -2,6 +2,9 @@ name: CI - macOS
 
 on: [pull_request, push]
 
+permissions:
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}

.github/workflows/ci_ubuntu.yaml

@@ -2,6 +2,9 @@ name: CI - Ubuntu
 
 on: [pull_request, push]
 
+permissions:
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}

.github/workflows/ci_webui.yaml

@@ -2,6 +2,8 @@ name: CI - WebUI
 
 on: [pull_request, push]
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}

.github/workflows/ci_windows.yaml

@@ -2,6 +2,9 @@ name: CI - Windows
 
 on: [pull_request, push]
 
+permissions:
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: ${{ github.head_ref != '' }}

.github/workflows/coverity-scan.yml

@@ -5,6 +5,8 @@ on:
     - cron: '0 0 1 * *' # Monthly (1st day of month at midnight)
   workflow_dispatch: # Mainly for testing. Don't forget the Coverity usage limits.
 
+permissions: {}
+
 jobs:
   coverity_scan:
     name: Scan

.github/workflows/stale_bot.yaml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest