CI: defining minimal workflow permissions

[diogoteles08]

Hi!

I'm here to suggest that you set minimal permissions to your workflow go.yml, because currently it doesn't specify the permissions for its jobs and their privileges are being determined by GitHub's defaults.

As the change would be really simple and this very similar PR was already merged, I'll take the liberty and already open a PR with the suggested changes 😊

Context

I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊

[diogoteles08]

Hey @bwplotka, I noticed that one of the changes made by the PR #1180 was reverted, and now one of your workflows lack the minimal permissions. I'm getting back to this issue to expose that and try to help understand what happened.

The change was made on this commit, which seems to be automated and supposedly syncing the file with this file on prometheus/prometheus. Do you think it makes sense to send a PR to prometheus/prometheus to add the minimal permissions to that original file?

Another think that I could suggest is that you change (if you haven't already) the repository configuration to set the default permissions to read-only. In this case, if any workflow gets changed (or created) and forget to explicitly declare the permissions, it would run with read-only permissions and any action that requires write-permissions would fail.

[diogoteles08]

I took the liberty and sent a PR to prometheus/prometheus and changed that original file. Now when your workflow imports the file according to the one in prometheus/prometheus, it should keep the minimal permissions.

That said, I'll send a small PR also resetting the minimal permission here, so we won't need to wait for the import from prometheus/prometheus to get it secured.