Add explicit permissions blocks to caller workflow files (#176)

## Summary

Adds explicit `permissions:` blocks to the workflow files that call
ITensorActions reusable workflows.

Most of these files previously declared no `permissions:` block and
inherited their `GITHUB_TOKEN` ceiling from the repository /
organization Actions defaults. After this change, each workflow's
permissions live in the YAML rather than in a settings page, and any
future change to the org or per-repo Actions default can only narrow
(never widen) what these workflows can do.

Each block declares the minimum the workflow actually needs (`contents:
read` for checkout-only workflows; elevated for Documentation gh-pages
deploy, TagBot tag creation, IntegrationTest's gate job, and
VersionCheck's PR-file lookup).

Verified by temporarily flipping this repo's per-repo Actions setting to
`default_workflow_permissions: read` and
`can_approve_pull_request_reviews: false` — the planned org-default end
state. All workflows pass.

Author: mtfishman

.github/workflows/CheckCompatBounds.yml

@@ -1,6 +1,8 @@
 name: "Check Compat Bounds"
 on:
   pull_request: ~
+permissions:
+  contents: "read"
 jobs:
   check-compat-bounds:
     name: "Check Compat Bounds"

.github/workflows/Documentation.yml

@@ -10,6 +10,8 @@ on:
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: "${{ github.ref_name != github.event.repository.default_branch || github.ref != 'refs/tags/v*' }}"
+permissions:
+  contents: "write"
 jobs:
   build-and-deploy-docs:
     name: "Documentation"

.github/workflows/FormatCheck.yml

@@ -6,6 +6,8 @@ on:
       - "synchronize"
       - "reopened"
       - "ready_for_review"
+permissions:
+  contents: "read"
 jobs:
   format-check:
     name: "Format Check"

.github/workflows/IntegrationTest.yml

@@ -11,6 +11,9 @@ on:
       - "reopened"
       - "ready_for_review"
       - "converted_to_draft"
+permissions:
+  actions: "read"
+  contents: "read"
 jobs:
   integration-test:
     name: "IntegrationTest"

.github/workflows/TagBot.yml

@@ -6,6 +6,9 @@ on:
   workflow_dispatch: ~
 env:
   REGISTRY_TAGBOT_ACTION: "JuliaRegistries/TagBot"
+permissions:
+  contents: "write"
+  issues: "read"
 jobs:
   TagBot:
     if: "github.event_name == 'workflow_dispatch' || github.actor == 'JuliaTagBot'"

.github/workflows/Tests.yml

@@ -19,6 +19,8 @@ on:
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: "${{ startsWith(github.ref, 'refs/pull/') }}"
+permissions:
+  contents: "read"
 jobs:
   tests:
     name: "Tests"

.github/workflows/VersionCheck.yml

@@ -1,6 +1,9 @@
 name: "Version Check"
 on:
   pull_request: ~
+permissions:
+  contents: "read"
+  pull-requests: "read"
 jobs:
   version-check:
     name: "Version Check"