[releases/1.1] github: Specify required permissions for each job

[bkeryan]

What does this Pull Request accomplish?

Cherry-pick #724 into releases/1.1

Why should this Pull Request be merged?

Enable releases/1.1 PRs to run with updated project settings.

What testing has been done?

PR build

Original PR description

• This contribution adheres to CONTRIBUTING.md.
• I've updated CHANGELOG.md if applicable.
• I've added tests applicable for this pull request

What does this Pull Request accomplish?

Currently, this repo's Workflow permissions setting is set to Read and write permissions (Workflows have read and write permissions in the repository for all scopes.). We should change it to Read repository contents and packages permissions (Workflows have read permissions in the repository for the contents and packages scopes only.) to reduce the privileges of jobs that run test code.

Specify permissions on the job level, not the workflow level. Specifying permissions on the workflow level grants the specified permissions to all jobs in the workflow, which gives some jobs permissions that they don't need.

CI.yml has multiple jobs, and only one needs additional privileges. I also updated workflows that have only one job.

Why should this Pull Request be merged?

Principle of least privilege

What testing has been done?

Tested the same change in other repos. I won't flip the settings switch until this PR is merged, to avoid affecting other PRs.

[github-actions]

Test Results

    34 files  ±0      34 suites  ±0   56m 32s ⏱️ +29s
 2 396 tests ±0   2 042 ✅ ±0    354 💤 ±0  0 ❌ ±0 
43 102 runs  ±0  36 850 ✅ ±0  6 252 💤 ±0  0 ❌ ±0 

Results for commit 29fa08f. ± Comparison against base commit 86c3e9b.