ci: explicitly set required permissions on GitHub Actions Workflows

The workflows currently have unlimited read/write permissions. This change sets all permissions to contents:read unless explicitly required by a specific action.
Both the actions/create-release@v1 and rickstaa/action-create-tag@v1 actions need to make changes to the repo for release.
Docs showing required permissions for creating releases and tags:
https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents

This addresses https://github.com/alphagov/govuk-knowledge-graph-search/security/code-scanning/1.

Author: aaronfowles

.github/workflows/actionlint.yml

@@ -1,4 +1,6 @@
 name: Lint GitHub Actions
+permissions:
+  contents: read
 on:
   push:
     paths: ['.github/**']

.github/workflows/check-code-hygiene.yml

@@ -1,5 +1,6 @@
 name: Code Hygiene
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches:

.github/workflows/check-test-coverage.yml

@@ -1,5 +1,4 @@
 name: Jest Coverage Check
-
 on:
   push:
     branches: [main]
@@ -11,6 +10,10 @@ jobs:
     name: Jest Test with Coverage Check
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      actions: write
+
     steps:
       - name: Check out code
         uses: actions/checkout@v4

.github/workflows/production-deploy.yml

@@ -1,5 +1,6 @@
 name: Deploy Production
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

.github/workflows/staging-deploy.yml

@@ -1,5 +1,6 @@
 name: Deploy Staging
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
   push: