Description
Hi! I'm Diogo and I work at the same Google team as Joyce, who created the issue #60750.
I see that most of your GitHub workflows have minimal permissions correctly defined (as Joyce suggested on #60750), but the newly created workflow libcxx-check-generated-files.yml is missing it. As it's a simple change, I'll take the liberty and submit a PR right away adding it.
Additionally, I'll suggest that you consider using the OpenSSF Scorecard Action, a tool that automatically evaluates the project's security posture and provide possible improvements directly at your Security Panel. It's the tool that Joyce and I have used to spot the improvements suggested on our issues, and it'd be specially helpful to ensure you don't regress on the security measures you have already adopted =). Let me know if you have interest and I'd be happy to raise another PR installing it for you.
Thanks!