github: Specify required permissions for each job

[bkeryan]

• This contribution adheres to CONTRIBUTING.md.
• I've updated CHANGELOG.md if applicable.
• I've added tests applicable for this pull request

What does this Pull Request accomplish?

Currently, this repo's Workflow permissions setting is set to Read and write permissions (Workflows have read and write permissions in the repository for all scopes.). We should change it to Read repository contents and packages permissions (Workflows have read permissions in the repository for the contents and packages scopes only.) to reduce the privileges of jobs that run test code.

Specify permissions on the job level, not the workflow level. Specifying permissions on the workflow level grants the specified permissions to all jobs in the workflow, which gives some jobs permissions that they don't need.

CI.yml has multiple jobs, and only one needs additional privileges. I also updated workflows that have only one job.

Why should this Pull Request be merged?

Principle of least privilege

What testing has been done?

Tested the same change in other repos. I won't flip the settings switch until this PR is merged, to avoid affecting other PRs.

[github-actions]

Test Results

    34 files  ±0      34 suites  ±0   58m 12s ⏱️ -27s
 2 396 tests ±0   2 042 ✅ ±0    354 💤 ±0  0 ❌ ±0 
43 102 runs  ±0  36 850 ✅ ±0  6 252 💤 ±0  0 ❌ ±0 

Results for commit 154ce1e. ± Comparison against base commit 3b70f51.