Policy Idea: Default workflow permissions.

[jeffmendoza]

GitHub has two defaults for permissions of Actions workflows (if the workflow yaml does not specify permissions) Details here see the "permissive" and "restricted" column.

Looks like this is settable at the org level already: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token Not sure what an Allstar policy would look like, need to dig in further.