Specify permissions in workflows

[jsoref]

Forked repositories may not grant write permissions by default

There are two good approaches to handling workflows in forks:

1. Make the workflow check to see if it is in a fork and then have it not run. This is a good practice if your workflow is expensive or doesn't otherwise make sense to run in forks
2. Make sure your workflow has enough permissions to function in forks. An organization can be configured to default to readonly workflow tokens -- These two workflows do not behave properly in such repositories. Here's an example of one of the workflows failing under these conditions and with this change applied. I didn't take the effort to create an issue with the default workflow (and my default branch does not have the workflow), but you can see that with the workflow fixed, comments for new issues work.

Deciding whether to apply this change should probably be done as a set, as such, I'm not splitting these two changes into distinct PRs. Although you technically could apply them individually.

(Fwiw, the warnings they make are valuable, especially the one that explains how this repository wants its PRs, which is why I'm favoring the workflow running in forks instead of having it not run at all...)

[github-actions]

Thanks for suggesting these code changes. To set expectations:

• Pull requests are reviewed in batches, so it can take some time to get a response.
• Smaller pull requests are easier to review. To fix nine typos, nine specific issues will always go faster than one big one. Learn why here.
• Reviewers may not know as much as you about certain situations, so add links to supporting evidence for important claims, especially regarding standards for CSS, HTTP, URI, etc.

Finally, please be patient with the core team. They are trying their best with limited resources.