actions: Set permissions for various smaller workflows

[anomiex]

Closes MONOREP-263

Proposed changes:

Mostly through static analysis. A few made use of docs for other actions.

See inline comments for the main notes on what things need. Other notes:

• .github/actions/turnstile - It has docs, may as well mention it (theoretically) needing actions: read.
• coverage-check: Already had some set, but it turns out it doesn't need most of them anymore. It uses the app token for almost everything instead of the default Actions token.
• update-phan-stubs: This one also had permissions set that it doesn't need. It even uses a matticbot token for the checkout, so none needed at all.

Also the following already had permissions that seem correct:

• build-docker
• build-docker-monorepo
• post-build

Leaving build, e2e-tests, tests, and wpcloud for a later PR.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Followup to #46067

Does this pull request change what data or activity we track or use?

No

Testing instructions:

• CI happy?
• Try triggering various workflows in other contexts that aren't already done in this PR.
  • autotagger: Something very similar in https://github.com/anomiex/testing/actions/runs/19678462964
  • check-actions-rate-limit: https://github.com/Automattic/jetpack/actions/runs/19684735272
  • coverage-check:
  • delete-mirror-branches:
  • phpcompatibility-dev: https://github.com/Automattic/jetpack/actions/runs/19684667135
  • pr-is-up-to-date: https://github.com/Automattic/jetpack/actions/runs/19684667032, (still needs one for the other code path)
  • renovate:
  • slack-branch-existence-notification:
  • slack-workflow-failed:
  • stale: https://github.com/Automattic/jetpack/actions/runs/19685127579
  • update-jetpack-staging-sites: https://github.com/Automattic/jetpack/actions/runs/19685195273
  • update-phan-stubs: https://github.com/anomiex/jetpack/actions/runs/19683314789, https://github.com/anomiex/jetpack/actions/runs/19683363255

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[tbradsha]

Nothing stands out as a problem here.

[anomiex]

🤞