Set per-job GitHub Actions permissions and Remove top-level permissions

Author: MH0386

.github/workflows/ci.yml

@@ -5,9 +5,6 @@ on:
   push:
     branches:
       - main
-permissions:
-  checks: write
-  contents: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
@@ -17,6 +14,10 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: code_quality
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
@@ -39,6 +40,10 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: code_quality
+    permissions:
+      checks: write
+      contents: write
+      pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
@@ -70,6 +75,8 @@ jobs:
     needs: [compatibility, test]
     environment:
       name: build
+    permissions:
+      contents: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0