revoke permissions for builder

[alsuren]

I think that this solves #49 without any added complexity.

I stumbled across this setting when trying to set up the webhook based scheme described in #49.
The paper trail went something like: https://github.com/organizations/cargo-quick/settings/actions
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token

This allowed me to know that it was possible at the top level, and then I jumped into vscode to see whether it was possible to use it at the job level (using the red hat yaml plugin, which pointed me at https://json.schemastore.org/github-workflow.json)

Turns out it is: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions

[alsuren]

Don't worry about the failing test. This only exists because I have a special case for the actions branch, which happens to have a race in it.