Restrict permissions for GitHub action

[ashishkurmi]

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes.
Here is an example of the permissions in one of the workflow runs:
https://github.com/spring-projects/spring-framework/runs/8233093764?check_suite_focus=true#step:1:19

After this change, the scopes will be reduced to the minimum needed for the workflow.

Motivation and Context

• This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
• GitHub recommends defining minimum GITHUB_TOKEN permissions.
  https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
• The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io

[pivotal-cla]

@boahc077 Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

[pivotal-cla]

@boahc077 Thank you for signing the Contributor License Agreement!

[snicoll]

@boahc077 thank you for making your first contribution to Spring Framework.

[vpavic]

See spring-projects/spring-boot#31344 (comment).

[snicoll]

Thanks Vedran, I had forgotten about that. I've changed the default permission.