harden security of github actions

[jlaehne]

See hyperspy/hyperspy#2727

We should:

• limit write access for workflows by setting default to read for the lumispy organization (https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/)
• consider to pin actions that use secrets

[jlaehne]

Restricted permissions for Actions:

• allow only selected non-lumispy-workflows
• workflows have only read permissions
• actions cannot create or approve PRs

[jordiferrero]

The only actions that use secrets in lumispy are in the release.yml actions:

• GITHUB_TOKEN to create a new release
• TWINE_USERNAME & TWINE_PASSWORD for submitting the new version to PyPI.

@jlaehne what do you want to do with this? I've been reading a bit more on pinning actions, but not sure how to proceed.

[jlaehne]

I am not fully sure either, but think that for these actions it should be OK as it is. In that case we could close this issue.

@ericpre I think we never implemented pinning for HyperSpy either?

[ericpre]

From checking the current workflows, the ones with permissions: contents: write are not using third party actions, which means that this is fine as it is.