Reducing security risk in our GitHub workflows

[afshin]

We have switched the default behavior for this org to "Workflows have read permissions in the repository for the contents scope only" to utilize GitHub Actions: Control permissions for GITHUB_TOKEN .  See also jupyterhub/team-compass#404

An example PR that allows fine-grained permissions is jupyterlab/jupyterlab#10136.