Restrict workflow token permissions

[vicentebolea]

GitHub Actions workflows are using tokens with excessive permissions. Should explicitly set minimal permissions using the permissions: key in each workflow.

Most workflows should be read-only unless they specifically need write access.

Reference: https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions

[vicentebolea]

Scorecard detailed results for Token-Permissions (0/10):

Debug: no jobLevel permission defined: .github/workflows/everything.yml:49
Debug: no jobLevel permission defined: .github/workflows/everything.yml:74
Debug: no jobLevel permission defined: .github/workflows/everything.yml:209
Debug: no jobLevel permission defined: .github/workflows/everything.yml:273
Debug: no jobLevel permission defined: .github/workflows/everything.yml:412
Debug: no jobLevel permission defined: .github/workflows/everything.yml:477
Debug: no jobLevel permission defined: .github/workflows/everything.yml:111
Debug: no jobLevel permission defined: .github/workflows/everything.yml:349
Info: jobLevel 'actions' permission set to 'read': .github/workflows/everything.yml:546
Info: jobLevel 'contents' permission set to 'read': .github/workflows/everything.yml:547
Debug: no jobLevel permission defined: .github/workflows/everything.yml:621
Debug: no jobLevel permission defined: .github/workflows/external.yml:9
Debug: no jobLevel permission defined: .github/workflows/pypackaging.yml:32
Debug: no jobLevel permission defined: .github/workflows/pypackaging.yml:51
Debug: no jobLevel permission defined: .github/workflows/stale.yml:8
Warn: no topLevel permission defined: .github/workflows/everything.yml:1
Warn: topLevel permissions set to 'write-all': .github/workflows/external.yml:6

Multiple jobs missing explicit permission definitions. The external.yml workflow has write-all permissions which is overly permissive. Most workflows should explicitly set read-only permissions and only grant write where necessary.