ci: document why each permission is needed

Author: serhalp

.github/workflows/release-tag.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-slim
     if: github.repository == 'npmx-dev/npmx.dev'
     permissions:
-      contents: write
+      contents: write # create release tags and GitHub releases
     outputs:
       version: ${{ steps.version.outputs.next }}
       skipped: ${{ steps.check.outputs.skip }}
@@ -92,7 +92,7 @@ jobs:
     if: needs.tag.outputs.skipped == 'false'
     permissions:
       contents: read
-      id-token: write
+      id-token: write # authenticate npm trusted publishing via OIDC
     environment: npm-publish
 
     steps:

.github/workflows/stale.yml

@@ -17,7 +17,7 @@ jobs:
     name: 🧹 Mark stale bug issues
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write # mark and close stale bug issues
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
         with:
@@ -35,7 +35,7 @@ jobs:
     name: 🧹 Mark stale pull requests
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # mark and close stale pull requests
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
         with: