[infra] Add minimum token permissions for all github workflow files

[opentelemetrybot]

See open-telemetry/sig-security#148 for details.

Please check this PR carefully and watch out for any permission-related workflow failures after merging it.

cc @trask

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.74%. Comparing base (9480cb3) to head (c6ff7e8).
Report is 3 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6357      +/-   ##
==========================================
+ Coverage   86.69%   86.74%   +0.05%     
==========================================
  Files         258      258              
  Lines       11850    11850              
==========================================
+ Hits        10273    10279       +6     
+ Misses       1577     1571       -6     

Flag	Coverage Δ
unittests-Project-Experimental	86.30% <ø> (-0.18%)	⬇️
unittests-Project-Stable	86.65% <ø> (+0.08%)	⬆️
unittests-Solution	86.64% <ø> (+0.10%)	⬆️
unittests-UnstableCoreLibraries-Experimental	85.87% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 4 files with indirect coverage changes

[github-actions]

This PR was marked stale due to lack of activity and will be closed in 7 days. Commenting or pushing will instruct the bot to automatically remove the label. This bot runs once per day.

[Kielek]

I am fully support changes, but I do not have yet time to verify changes.
@trask, in this PR you are allowing only read permissions, under the hood otel-bot is used:

What is more around line 125 GH API is called to create release. I am not fully familiar with GH permissions, do you think that it will be working without any problems?

[trask]

otelbot has its own token, so these permissions don't affect it

[Kielek]

LGTM, based on what I have tested in contrib repository it should be fine to merge as is.