Merge pull request #4734 from sashashura/patch-7

GitHub Workflows security hardening

.github/workflows/ccpp.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   job:
     name: ${{ matrix.name }}-build-and-test

.github/workflows/sanitizer.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   job1:
     name: adress-sanitizer