build: be explicit about workflow permissions (#10690)

Signed-off-by: Jakob Borg <jakob@kastelo.net>

.github/workflows/build-syncthing.yaml

@@ -9,6 +9,11 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+
 env:
   # The go version to use for builds. We set check-latest to true when
   # installing, so we get the latest patch version that matches the
@@ -1020,6 +1025,7 @@ jobs:
       VERSION: ${{ needs.facts.outputs.version }}
       RELEASE_KIND: ${{ needs.facts.outputs.release-kind }}
     strategy:
+      fail-fast: false
       matrix:
         pkg:
           - syncthing

.github/workflows/mirrors.yaml

@@ -2,6 +2,9 @@ name: Mirrors
 
 on: [push, delete]
 
+permissions:
+  contents: read
+
 jobs:
   codeberg:
     name: Mirror to Codeberg

.github/workflows/trigger-nightly.yaml

@@ -5,6 +5,9 @@ on:
     # Run nightly build at 01:00 UTC
     - cron: '00 01 * * *'
 
+permissions:
+  contents: write
+
 jobs:
 
   trigger-nightly:

.github/workflows/update-docs-translations.yaml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '42 3 * * 1'
 
+permissions:
+  contents: write
+
 jobs:
 
   update_transifex_docs: