[llvm] [Workflows] Improve GitHub Actions Security hardening (PR #117787)

[Carlo Cabrera via llvm-commits]

carlocab wrote:

> Attaching `persist-credentials` to the vast majority of jobs probably does nothing to tangibly improve security as we typically limit `GITHUB_TOKEN` to the `contents: read` permission, which means it shouldn't have access to anything that isn't publicly accessible. 

This assumes that `contents: read` is consistently applied, both at the workflow level and for workflow jobs that have different permissions from the top-level. It also assumes that an attacker has no way to escalate privileges from a read-only token.

It seems to me that it's better security hygiene to be explicit about persisting credentials on disk, especially given that there are existing [exploits in the wild](https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/) for workflows that fail to set `persist-credentials: false`.

> Blanket adding it might not be the worst idea, but should be done in a separate patch.

Happy to split it out, but if we want to blanket-add it then there should be some automation that keeps it there (otherwise future workflow changes could easily omit it). Though if it's a good idea to blanket-add it, then it also seems to me that the results here aren't really noise.

> Is this static analyzer widely used anywhere? It doesn't seem to be wildly popular at the moment, and so far it seems to have generated more noise than anything else.

It's a fairly new tool, but I expect it will be widely used eventually. The author was also one of the people behind integrating GitHub Actions artifact attestations with SigStore.

https://github.com/llvm/llvm-project/pull/117787