ci: scope down GitHub Token permissions (#1371)

## Scope Down GitHub Token Permissions

This PR updates GitHub Actions workflows to use minimal required
permissions instead of the default elevated permissions.

### Why This Matters

Following the principle of least privilege, workflows should only have
the specific permissions they need to function.

### Changes

This PR adds explicit `permissions:` blocks to workflows that currently
rely on default permissions, scoping them down to only what's required
for their operations.

Please review the changes to ensure the specified permissions match your
workflow requirements.

Author: AdnaneKhan

.github/workflows/audit.yaml

@@ -22,6 +22,9 @@ env:
   # serde_cbor is being imported by criterion, a benchmarking crate. More info here https://github.com/awslabs/smithy-rs/issues/1044
   cargo_audit_flags: --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2021-0127
 
+permissions:
+  contents: read
+
 jobs:
   audit-latest:
     name: Audit Latest Dependencies

.github/workflows/ci.yaml

@@ -13,6 +13,9 @@ env:
   RUST_VERSIONS: "stable"
   RUST_VERSION: "stable"
 
+permissions:
+  contents: read
+
 jobs:
   generate-test-sdk-matrix:
     runs-on: ubuntu-latest

.github/workflows/closed-issue-message.yaml

@@ -2,6 +2,9 @@ name: Closed Issue Message
 on:
     issues:
        types: [closed]
+permissions:
+  issues: write
+
 jobs:
     auto_comment:
         runs-on: ubuntu-latest

.github/workflows/release-checks.yaml

@@ -6,6 +6,9 @@ on:
 
 name: Release Configuration Checks
 
+permissions:
+  contents: read
+
 jobs:
   check-config:
     runs-on: ubuntu-latest

.github/workflows/stale_issue.yaml

@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: "*/60 * * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest