GitHub Workflows security hardening

[sashashura]

What:
This PR adds explicit permissions section to workflows.

Why:
This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.

How:
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

Checklist:

• Documentation added to the
  docs site N/A
• Tests N/A
• TypeScript definitions updated N/A
• Ready to be merged
  

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 7389dab:

Sandbox	Source
react-testing-library-examples	Configuration

[codecov]

Codecov Report

Merging #1193 (7389dab) into main (fe12e5b) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##              main     #1193   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           24        24           
  Lines          998       998           
  Branches       326       327    +1     
=========================================
  Hits           998       998           

Flag	Coverage Δ
node-12	100.00% <ø> (ø)
node-14	100.00% <ø> (ø)
node-16	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[timdeschryver]

LGTM 👍

[eps1lon]

Let's see if it works.

[eps1lon]

This was missing issues: write for semantic-release. Fixing in #1214