Audit & Harden GitHub Actions workflow permissions across stride3d org

[VaclavElias]

Harden GitHub Actions Workflow Permissions

GitHub now recommends setting explicit permissions for each workflow/job to ensure least privilege for Actions tokens. To improve security and future-proof our automation:

• Audit every workflow in .github/workflows/ and add explicit permissions: (preferably at the workflow level)
• For pure build/test jobs, use permissions: contents: read
• For workflows needing to comment, create releases, publish, or update repo state, add only the minimal additional permissions required

Related tasks for other stride3d repos

• stride3d/stride-docs: Audit and restrict workflow permissions
• stride3d/stride-website: Audit and restrict workflow permissions
• stride3d/stride-community-toolkit: Audit and restrict workflow permissions

Possible candidates for stride repository

build-android.yml
build-assembly-processor.yml
build-ios.yml
build-linux-runtime.yml
build-windows-full.yml
build-windows-runtime.yml
test-linux-game.yml
test-linux-simple.yml
test-windows-editor.yml
test-windows-game.yml
test-windows-simple.yml

References:

• GitHub Docs: Workflow Syntax - permissions
• PR example: dotnet/Silk.NET#2584

Goal: Reduce risk surface, improve clarity, and follow best practices by adhering to the principle of least privilege for all GitHub Actions.