GitHub Workflows security hardening

[sashashura]

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

[netlify]

✅ Deploy Preview for apollo-server-docs canceled.

Built without sensitive environment variables

Name	Link
🔨 Latest commit	7fe6ffc
🔍 Latest deploy log	https://app.netlify.com/sites/apollo-server-docs/deploys/630c9589ae13490008bd0e81

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 7fe6ffc:

Sandbox	Source
Apollo Server Typescript	Configuration
Apollo Server	Configuration

[glasser]

Thanks, this seems reasonable. I'm gonna check with our docs infra team to make sure this looks right and that they can apply this to all of our docs workflows.

[BlenderDude]

We are going to check to make sure our publish job still works with the lessened permission set, and expand it locally on the job action if necessary (as you mentioned). Once we are sure the permissions are properly set on the docs side we will get this merged in!