chore: restrict GitHub actions permissions (#1371)

Be more selective in granting permissions to actions

.github/workflows/dependency-graph.yml

@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main # default branch of the project
+
+permissions: {}
+
 jobs:
   dependency-graph:
     name: Update Dependency Graph
@@ -10,3 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: scalacenter/sbt-dependency-submission@v2
+        permissions:
+          # The API requires write permission on the repository
+          # to submit dependencies
+          contents: write

.github/workflows/scala-steward.yml

@@ -5,6 +5,10 @@ on:
 
 name: Launch Scala Steward
 
+# The GitHub Action doesn't need permissions: it only reads already-public
+# data and creates PRs through the scala-steward-asf bot:
+permissions: {}
+
 jobs:
   scala-steward:
     runs-on: ubuntu-22.04