ci: add minimum GitHub token permissions for workflow

[ashishkurmi]

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflow runs:
https://github.com/nodejs/node-v8/actions/runs/3167512719/jobs/5158057075#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflow:

• update-canary.yml

Motivation and Context

• This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
• GitHub recommends defining minimum GITHUB_TOKEN permissions.
• The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io

[targos]

The update script must be able to push to the canary branch:

node-v8/tools/update-canary.sh

Lines 28 to 29 in 11d0b20

	# Force-push to the canary branch.
	git push --force origin HEAD:canary

[targos]

No follow-up so I'm closing this. Feel free to reopen or open another PR with updated permissions.