I would like to suggest setting the permissions to the github workflows as read only on the top level and any write permission be given at the run level.

This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.

Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.

I'll submit soon a PR with the changes I've mentioned.

Thanks!
Joyce Brum

Disclosure: I'm from Google, working with the OpenSSF to help many open source projects to increase their supply-chain security.

Sounds good to me, thank you!