Set workflow permissions where required

.github/workflows/ci-full-check.yml

@@ -31,6 +31,8 @@ jobs:
 
   dependency-graph:
     uses: ./.github/workflows/integ-test-dependency-graph.yml
+    permissions:
+      contents: write
     with:
       cache-key-prefix: ${{github.run_number}}-
 

.github/workflows/ci-quick-check.yml

@@ -53,6 +53,8 @@ jobs:
   dependency-graph:
     needs: build-distribution
     uses: ./.github/workflows/integ-test-dependency-graph.yml
+    permissions:
+      contents: write
     with:
       runner-os: '["ubuntu-latest"]'
       download-dist: true

.github/workflows/demo-pr-build-scan-comment.yml

@@ -2,6 +2,10 @@ name: Demo adding Build Scan® comment to PR
 on:
   pull_request:
     types: [assigned, review_requested]
+
+permissions:
+  pull_request: write
+
 jobs:
   successful-build-with-always-comment:
     runs-on: ubuntu-latest

.github/workflows/integ-test-dependency-graph.yml

@@ -12,6 +12,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: write
+
 env:
   DOWNLOAD_DIST: ${{ inputs.download-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}