ci: per-job permissions for publish-pypi, release-doctor, sync-labels, semgrep

- publish-pypi: contents: read -- publish step uses PYPI_TOKEN, not
  GITHUB_TOKEN.
- release-doctor: contents: read -- only runs a local sanity-check
  script.
- sync-labels: issues: write -- micnncim/action-label-syncer manages
  repo labels via GITHUB_TOKEN.
- semgrep: contents: read -- only checks out code and runs semgrep ci.

Matches the per-job permissions style already used in ci.yml and
detect-breaking-changes.yml.

Co-authored-by: arpitjain099 <arpitjain099@gmail.com>

Author: musa-cf

.github/workflows/publish-pypi.yml

@@ -11,6 +11,8 @@ on:
 jobs:
   publish:
     name: publish
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/release-doctor.yml

@@ -13,6 +13,8 @@ concurrency:
 jobs:
   release_doctor:
     name: release doctor
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 2
     if: github.repository == 'cloudflare/cloudflare-python' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || startsWith(github.head_ref, 'release-please') || github.head_ref == 'next')

.github/workflows/semgrep.yml

@@ -6,6 +6,8 @@ name: Semgrep config
 jobs:
   semgrep:
     name: semgrep/ci
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     env:
       SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

.github/workflows/sync-labels.yml

@@ -8,6 +8,8 @@ on:
       - .github/labels.yml
 jobs:
   build:
+    permissions:
+      issues: write   # action-label-syncer creates/updates repo labels
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2