Potential fix for code scanning alert no. 3: Workflow does not contain permissions

[thpierce]

Potential fix for https://github.com/aws-observability/aws-otel-ruby/security/code-scanning/3

To remedy the issue, a permissions block should be added to restrict the GITHUB_TOKEN privileges so the workflow or job only receives the rights it needs. Specifically, the actions/stale uses the bot to read and write issues and pull-requests, label them, and potentially close them. The minimal required set is contents: write, issues: write, and pull-requests: write. This block can be placed either at the root of the workflow (making it apply to all jobs) or at the job level (stale-close). According to the CodeQL recommendation, it's preferable to put it at the job level so that only the job has the permissions it needs.
Edit .github/workflows/stale-bot.yml, and under jobs: stale-close: (before runs-on:), add:

permissions:
  contents: write
  issues: write
  pull-requests: write

No new imports or external code definitions are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[ezhang6811]

Do we need contents: write? See https://github.com/aws-observability/aws-otel-python/pull/99/files

also: not blocking, but for parity we could put all permissions at job level.

[thpierce]

contents: write # only for delete-branch option - https://github.com/actions/stale

Will remove.