ci: add minimum GitHub token permissions for workflows

[ashishkurmi]

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflow runs:
https://github.com/nuxt/nuxt.js/actions/runs/3169583990/jobs/5161596015#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflows:

• nightly.yml
• test.yml
• windows.yml

Motivation and Context

• This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
• GitHub recommends defining minimum GITHUB_TOKEN permissions.
• The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io

[codecov-commenter]

Codecov Report

Base: 65.19% // Head: 65.19% // No change to project coverage 👍

Coverage data is based on head (c9fb41b) compared to base (54e852f).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##              dev   #10734   +/-   ##
=======================================
  Coverage   65.19%   65.19%           
=======================================
  Files          94       94           
  Lines        4155     4155           
  Branches     1172     1172           
=======================================
  Hits         2709     2709           
  Misses       1167     1167           
  Partials      279      279           

Flag	Coverage Δ
unittests	65.19% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[danielroe]

This is a helpful prompt but I think we should instead enable restrictive permissions by default for the nuxt organisation rather than adding these lines to every repo workflow file we have.

See https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization.

If this causes any problems we can then grant more explicit permissions in individual repo workflows.