Set explicit workflow permissions (#13746)

Author: glenn-jocher

.github/workflows/docker.yml

@@ -5,7 +5,7 @@
 name: Publish Docker Images
 
 permissions:
-  contents: read
+  contents: read # Required for checkout only; Docker Hub push uses repository secrets.
 
 on:
   push:

.github/workflows/links.yml

@@ -11,7 +11,7 @@
 name: Check Broken links
 
 permissions:
-  contents: read
+  contents: read # Required for checkout and authenticated link checks only.
 
 on:
   workflow_dispatch:

.github/workflows/merge-main-into-prs.yml

@@ -6,7 +6,7 @@
 name: Merge main into PRs
 
 permissions:
-  contents: read
+  contents: write
   pull-requests: write
 
 on:

.github/workflows/stale.yml

@@ -1,15 +1,17 @@
 # Ultralytics 🚀 AGPL-3.0 License - https://ultralytics.com/license
 
 name: Close stale issues
+
+permissions:
+  issues: write
+  pull-requests: write
+
 on:
   schedule:
     - cron: "0 0 * * *" # Runs at 00:00 UTC every day
 
 jobs:
   stale:
-    permissions:
-      issues: write
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v10