Hi, I'm Joyce, from the Google Open Source Security Team (GOSST). Setting the GITHUB_TOKEN permission is one of the OSSF Scorecard recommendation -- called Token-Permissions check.

The default permissions given to GITHUB_TOKEN is write all, which can be exploited by an attacker in case of a compromised action.

To mitigate this risk it is important to Use credentials that are minimally scoped.

I'll submit a PR together with the issue. Thanks.