Set workflow permissions

Since 2023, it has been possible to limit the permissions granted to
a workflow. The default of all permissions is now being flagged as
a security issue, so add some minimal permissions.

It isn't really clear from the docs which of these are actually
required, as the only detailed docs are at the web API level, but
libraries for working with actions are generally in Python or NodeJS
and the libraries have not been updated to state which permissions
they require.

.github/workflows/hacs-validate.yml

@@ -7,6 +7,10 @@ on:
 jobs:
   validate:
     runs-on: ubuntu-latest
+  permissions:
+    contents: read
+    pull-requests: write
+
     steps:
       - uses: actions/checkout@v4
       - name: HACS validation

.github/workflows/hassfest-validate.yml

@@ -7,6 +7,11 @@ on:
 jobs:
   validate:
     runs-on: ubuntu-latest
+
+  permissions:
+    contents: read
+    pull-requests: write
+
     steps:
       - uses: actions/checkout@v4
       - uses: home-assistant/actions/hassfest@master

.github/workflows/linting.yml

@@ -5,6 +5,10 @@ on: [push, pull_request]
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/tests.yml

@@ -12,6 +12,10 @@ on:
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
     strategy:
       matrix:
         python-version: ['3.13']

.github/workflows/yamltests.yml

@@ -12,6 +12,12 @@ on:
 jobs:
   tests:
     runs-on: ubuntu-latest
+
+  permissions:
+    checks: write
+    contents: read
+    pull-requests: write
+
     strategy:
       matrix:
         python-version: ['3.13']