Scope down workflow permissions (#12973)

Summary:
Followed instruction per https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defining-access-for-the-github_token-scopes

It turns out that we did not need any of these except `Metadata: read`.

Before
```
GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write
```

After
```
GITHUB_TOKEN Permissions
  Metadata: read
```

Pull Request resolved: https://github.com/facebook/rocksdb/pull/12973

Test Plan: GitHub Actions triggered by this PR

Reviewed By: cbi42

Differential Revision: D61812651

Pulled By: jaykorean

fbshipit-source-id: 4413756c93f503e8b2fb77eb8b684ef9e6a6c13d

5 files changed, 10 insertions, 6 deletions

diff --git a/.github/workflows/benchmark-linux.yml b/.github/workflows/benchmark-linux.yml
index 929426091..bdf26c866 100644
--- a/.github/workflows/benchmark-linux.yml
+++ b/.github/workflows/benchmark-linux.yml
@@ -1,13 +1,13 @@
 name: facebook/rocksdb/benchmark-linux
-# FIXME: Disabled temporarily
-# on:
-#   schedule:
-#   - cron: 7 */2 * * *  # At minute 7 past every 2nd hour
-
+on: workflow_dispatch
+permissions: {}
+  # FIXME: Disabled temporarily
+  # schedule:
+  # - cron: 7 */2 * * *  # At minute 7 past every 2nd hour
 jobs:
   benchmark-linux:
     if: ${{ github.repository_owner == 'facebook' }}
-    runs-on: self-hosted
+    runs-on: ubuntu-latest # FIXME: change this back to self-hosted when ready
     steps:
     - uses: actions/checkout@v4.1.0
     - uses: "./.github/actions/build-for-benchmarks"
diff --git a/.github/workflows/nightly-candidate.yml b/.github/workflows/nightly-candidate.yml
index 28a2d3405..bfc15d1b5 100644
--- a/.github/workflows/nightly-candidate.yml
+++ b/.github/workflows/nightly-candidate.yml
@@ -1,5 +1,6 @@
 name: facebook/rocksdb/nightly
 on: workflow_dispatch
+permissions: {}
 jobs:
   # These jobs would be in nightly but are failing or otherwise broken for
   # some reason.
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index c075b5298..0bf343639 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -3,6 +3,7 @@ on:
   schedule:
   - cron: 0 9 * * *
   workflow_dispatch:
+permissions: {}
 jobs:
   build-format-compatible:
     if: ${{ github.repository_owner == 'facebook' }}
diff --git a/.github/workflows/pr-jobs-candidate.yml b/.github/workflows/pr-jobs-candidate.yml
index 5c8e96842..c6e280fdf 100644
--- a/.github/workflows/pr-jobs-candidate.yml
+++ b/.github/workflows/pr-jobs-candidate.yml
@@ -1,5 +1,6 @@
 name: facebook/rocksdb/pr-jobs-candidate
 on: workflow_dispatch
+permissions: {}
 jobs:
   # These jobs would be in pr-jobs but are failing or otherwise broken for
   # some reason.
diff --git a/.github/workflows/pr-jobs.yml b/.github/workflows/pr-jobs.yml
index 627b4dfc0..9d89a111e 100644
--- a/.github/workflows/pr-jobs.yml
+++ b/.github/workflows/pr-jobs.yml
@@ -1,5 +1,6 @@
 name: facebook/rocksdb/pr-jobs
 on: [push, pull_request]
+permissions: {}
 jobs:
   # NOTE: multiple workflows would be recommended, but the current GHA UI in
   # PRs doesn't make it clear when there's an overall error with a workflow,