chore(ci): Dependabot, workflow security (#1257)

Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: niStee <52573120+niStee@users.noreply.github.comclear>
Co-authored-by: GideonBear <87426140+GideonBear@users.noreply.github.com>

.github/workflows/release_to_aur.yml

@@ -1,7 +1,7 @@
 name: Publish to AUR
 
 on:
-  # Step "Publish binary AUR package" needs the binaries built by the following 
+  # Step "Publish binary AUR package" needs the binaries built by the following
   # workflow, so we wait for it to complete.
   workflow_run:
     workflows: ["Publish release files for CD native and non-cd-native environments"]
@@ -15,6 +15,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   aur-publish:
     runs-on: ubuntu-latest