Restrict permissions for GitHub Actions workflows

[jtherrmann]

Jira: https://asfdaac.atlassian.net/browse/TOOL-3391

Note: The above link is accessible only to members of ASF.

---

Since CodeQL scanning was enabled for our repos, we've been getting warnings like:

If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced [...]

See https://github.com/ASFHyP3/hyp3-sdk/security/code-scanning/16 for the recommended resolution.

Also see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token

Assuming that these permissions can be set in our reusable actions, then that's probably what we should do, otherwise we'll have to set them in the individual workflows.