add permissions to take out write-all in CI

[SecondeJK]

IaC reports that Github workflow for CI does not have permissions set, resulting in write-all by default.

Description

Adds permissions with some restrictions to contents, deployments and packages.

Motivation and Context

Security audit results

Types of changes

• [x] Bug fix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• [x] My code follows the code style of this project.
• [ ] My change requires a change to the documentation.
• [ ] I have updated the documentation accordingly.
• [x] I have read the CONTRIBUTING document.
• [ ] I have added tests to cover my changes.
• [x] All new and existing tests passed.

[codecov-commenter]

Codecov Report

Merging #439 (128c323) into main (a7db15d) will not change coverage. The diff coverage is n/a.

@@            Coverage Diff            @@
##               main     #439   +/-   ##
=========================================
  Coverage     78.87%   78.87%           
  Complexity     2323     2323           
=========================================
  Files           218      218           
  Lines          6252     6252           
=========================================
  Hits           4931     4931           
  Misses         1321     1321           

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more