[StepSecurity] Apply security best practices (#39)

This PR implements [go/ssdlc-2](https://go/ssdlc-2). Please raise issues
to ProdSec's on-call rotation.

Ref: chainguard-dev/prodsec#138

## Summary

This pull request has been generated by
[StepSecurity](https://app.stepsecurity.io/github/chainguard-dev/actions/dashboard)
as part of your enterprise subscription to ensure compliance with
recommended security best practices. Please review and merge the pull
request to apply these security enhancements.

At a high level, this PR:
- Adds the `harden-runner` Action if not already present
- Pins Actions to a digest rather than mutable tags
- Restricts GitHub token permissions to be as minimal as possible

## Security Fixes

### Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make
authenticated calls to the GitHub API. GitHub recommends setting minimum
token permissions for the GITHUB_TOKEN.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions)


## Feedback

For bug reports, feature requests, and general feedback; please create
an issue in
[step-security/secure-repo](https://github.com/step-security/secure-repo)
or contact us via [our website](https://www.stepsecurity.io/).

Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>

Author: stepsecurity-app[bot]

.github/workflows/test.yaml

@@ -8,6 +8,8 @@ on:
     branches:
       - 'main'
 
+permissions: {}
+
 jobs:
   test:
     name: Basic Test