Set Actions token permissions to minimum required. (#1014)

Each of the three Actions workflows requires fewer permissions than
GITHUB_TOKEN has by default, so each of them are now configured with
the minimum permissions required.

Co-authored-by: Anthony Gomez <[email protected]>

Author: kpfleming

.github/workflows/dependabot_changelog_update.yml

@@ -1,4 +1,6 @@
 name: Generate changelog entry for Dependabot
+permissions:
+  contents: read
 
 on:
   pull_request:

.github/workflows/pr.yml

@@ -9,6 +9,8 @@ on:
   repository_dispatch:
     types: [ok-to-test-command] # corresponds to ./ok-to-test.yml `commands:` field
 name: Pull request
+permissions:
+  contents: read
 jobs:
   changelog:
     if: github.actor != 'dependabot[bot]'

.github/workflows/release.yml

@@ -8,6 +8,8 @@
 # private key in the `GPG_PRIVATE_KEY` secret and passphrase in the `PASSPHRASE`
 # secret. We use the fastly fork to ensure safety GPG handling.
 name: release
+permissions:
+  contents: write
 on:
   push:
     tags: