[StepSecurity] ci: Harden GitHub Actions (Token Permissions)

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @bingenito. Please merge the Pull Request to incorporate the requested changes. Please tag @bingenito on your message if you have any questions related to the PR.
Fixes #1244

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

[linux-foundation-easycla]

• ❌ - login: @step-security-bot / name: StepSecurity Bot . The commit (eff1822) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[netlify]

✅ Deploy Preview for fdc3 ready!

Name	Link
🔨 Latest commit	eff1822
🔍 Latest deploy log	https://app.netlify.com/sites/fdc3/deploys/668529d77dfec10008a7a21c
😎 Deploy Preview	https://deploy-preview-1246--fdc3.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[kriswest]

LGTM although we'll need to check the pacakging workflow is still able to publish to github after this merged. That will only be triggered when we try to push a new module version to NPM.