Improve OSSF Scorecard Token-Permissions check by tightening GitHub Actions permissions

[gaganhr94]

{
      "name": "Token-Permissions",
      "score": 9,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "details": [
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/actions-tests.yml:12",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:14",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:110",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:24",
        "Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:29",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:30",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/cve-rebuild.yml:21",
        "Info: jobLevel 'packages' permission set to 'read': .github/workflows/cve-rebuild.yml:30",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/cve-rebuild.yml:85",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/cve-rebuild.yml:124",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/pre-commit.yml:6",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:27",
        "Warn: jobLevel 'packages' permission set to 'write': .github/workflows/release.yml:54: Verify which permissions are needed and consider whether you can reduce them. (High effort)",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:88",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:122",
        "Warn: topLevel 'statuses' permission set to 'write': .github/workflows/run-system-tests.yml:7: Visit https://app.stepsecurity.io/secureworkflow/strimzi/strimzi-kafka-operator/run-system-tests.yml/main?enable=permissions",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/run-system-tests.yml:5",
        "Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:14",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/system-tests.yml:31",
        "Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/system-tests.yml:41: Verify which permissions are needed and consider whether you can reduce them. (High effort)",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/system-tests.yml:39",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/system-tests.yml:101",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/system-tests.yml:79",
        "Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/system-tests.yml:81: Verify which permissions are needed and consider whether you can reduce them. (High effort)",
        "Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/system-tests.yml:149: Verify which permissions are needed and consider whether you can reduce them. (High effort)",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/system-tests.yml:147",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/system-tests.yml:279",
        "Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/system-tests.yml:281: Verify which permissions are needed and consider whether you can reduce them. (High effort)",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/system-tests.yml:312",
        "Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/system-tests.yml:314: Verify which permissions are needed and consider whether you can reduce them. (High effort)",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/system-tests.yml:355"
      ],
}

Several top level permissions are missing, as a result of which the score is low for this particular check of the OpenSSF scorecard. This score can go to 10 if all the top level permissions are set to content: read (i.e, minimal permissions at the top level)

More details on this check:
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

[Frawless]

@gaganhr94 did you ran scorecard against main branch? This line:

"Warn: jobLevel 'packages' permission set to 'write': .github/workflows/release.yml:54: Verify which permissions are needed and consider whether you can reduce them. (High effort)",

seems to refer to different line than where the permission is actually configured in main branch.

Overall I think most of the permissions are in place for good reasons, but the change in your PR for

"Warn: topLevel 'statuses' permission set to 'write': .github/workflows/run-system-tests.yml:7: Visit https://app.stepsecurity.io/secureworkflow/strimzi/strimzi-kafka-operator/run-system-tests.yml/main?enable=permissions",

looks fine to me as it didn't change the overall config, but move the permissions to better place.