Hi I'm from Google and I'm working with the OpenSSF to improve supply chain security of many open source projects by following OpenSSF Scorecard checks.

I would like to suggest a simple but important supply chain good practice which is to always use minimally scoped permissions because the default of GITHUB_TOKEN is write-all.

This way, even in a case of a compromised workflow, the attacker won't be able to do much.

Let me know if that's ok for me to submit a PR with this change and I'll do it ASAP.

That's ok for you to do 👍