Currently, we use the default permissions for the GITHUB_TOKEN authentication token on GitHub Actions. These default permissions are excessively permissive; for example, they include read/write access to all issues, PRs, and repository contents.

This authentication token is available to all code and actions in a workflow, even if the token is not explicitly passed to them (source). This means that malicious code in our workflows or any of the third-party actions we depend on could steal the GITHUB_TOKEN and take any of the actions allowed by its permissions.

To mitigate this danger, GitHub and the OpenSSF both recommend limiting the permissions of GITHUB_TOKEN to only those necessary. We should do this by:

1. Setting permissions: read-all as a top-level key so that all jobs have read-only access by default.
2. Providing write access as needed to the particular jobs which need it. For details on how to provide this access and what scopes are available, see GitHub's documentation.

I want to raise PR for this issue if selected.
Thank You