Add reference to GitHub action settings

[penx]

Closes #359

Checklist

• [ ] run npm run test and npm run benchmark
• [ ] tests and/or benchmarks are included
• [x] documentation is changed or added
• [ ] commit message and code follows the Developer's Certification of Origin and the Code of conduct

[simoneb]

@penx thanks and apologies for being slow at getting back to this. In principle I'm not against this change, but I'd like to understand better how GitHub behaves in this regard, so I'd really appreciate if you could check and clarify this, as it's not clear from the docs.

There are two things at play here: the permissions in the workflow yaml and the repository setting Preventing GitHub Actions from creating or approving pull requests.

I would like to understand how they interact with each other before we make this change. Here are my questions and doubts:

• This setting is in the "Workflow permissions" section of the repository configuration. Because there's another setting in that same section and because that setting can be overwritten by using permissions in the workflow yaml, are we sure that those same permissions aren't also overriding the setting Preventing GitHub Actions from creating or approving pull requests?
• Assuming that answer to the above is no, if we check this setting's checkbox, do we still need the permissions in the workflow yaml?

In other words, I'd like to understand if both permissions and checking this setting are needed, or only one of them. The same applies to using a custom token instead of the built-in GITHUB_TOKEN. If you use a custom token, does the new setting need to be checked or does the custom token override that?