Set github workflow permissions to read only

[joycebrum]

Hi, I'm from Google and I'm working with the openSSF to improve supply-chain security in many impactful and relevant open source projects.

The first supply-chain security improvement I would like to suggest is setting GITHUB_TOKEN permissions as read only and granting any write permission needed on job level.

This is needed because github by default grants all write permissions to any workflow. To reduce the impact of a compromised workflow, for example, through what a attacker could exploit this write permissions, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.

Since the changes are quite simple (one line of code actually) I'll submit a PR to be easier to understand what this "minimally scoped" is about.

Any questions or concerns, let me know and I hope I can help go-humanize to increase its security posture even more!

[dustin]

Neat, thanks. I guess I should consider doing this to more of my repos.