fix: restrict GITHUB_TOKEN to contents: read in sync workflow

The GITHUB_TOKEN previously inherited org-wide default permissions.
Since the workflow only uses GitHub App credentials for the sync and
GITHUB_TOKEN is only needed for the two actions/checkout steps,
restrict it to contents: read.

Closes #3

Author: Nicolas Brieussel

.github/workflows/safe-settings-sync.yml

@@ -21,6 +21,8 @@ jobs:
   sync:
     name: Sync org settings${{ github.event.inputs.nop == 'true' && ' (dry-run)' || '' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       SAFE_SETTINGS_VERSION: 2.1.17
       SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code