Update GitHub Actions permissions (#511)

* Update GitHub Actions permissions

* Only run on python 3.13 because of SAM issues

Author: kddejong

.github/workflows/branch-pr-release.yaml

@@ -5,13 +5,19 @@ on:
   pull_request:
     branches:
       - main
+
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
         os: [macos-latest, ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
     - name: Checkout
       uses: actions/checkout@v5
@@ -22,7 +28,7 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
-        python-version: "3.x"
+        python-version: "3.13"
     - name: Setup NPM
       run: |
         npm install

.github/workflows/publish.yaml

@@ -4,9 +4,14 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-node@v5

.github/workflows/template-schema-updater.yaml

@@ -3,9 +3,16 @@ on:
   schedule:
     - cron: '0 */8 * * *'
   workflow_dispatch: # Enables on-demand/manual triggering: https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/manually-running-a-workflow
+
+permissions:
+  contents: read
+
 jobs:
   schema-updater:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v5
       - uses: actions/checkout@v5
@@ -15,7 +22,7 @@ jobs:
           ref: main
       - uses: actions/setup-python@v6
         with:
-          python-version: '3.9'
+          python-version: '3.13'
       - name: Install Poetry
         uses: snok/install-poetry@v1
       - run: |