CI: Define Permission for Nightly & Preview Builds Workflows (Acode-Foundation#1616)

* chore: define permissions, following [ossf](https://github.com/ossf/scorecard/blob/4b2375ce6ec56d235007d960c08bd07ffc56c165/docs/checks.md#token-permissions)

* fix: on-demand-preview-releases-PR RUNS on drafted Pull Requests.

Author: UnschooledGamer

.github/workflows/nightly-build.yml

@@ -34,6 +34,9 @@
     group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}-${{ inputs.is_PR && 'is_PR' || 'not_PR'}}
     cancel-in-progress: true
 
+  permissions:
+    contents: read
+
   env:
     STORE_FILE_PATH: /tmp/app-debug.keystore
     BUILD_JSON_PATH: build.json
@@ -44,7 +47,13 @@
       timeout-minutes: 60
       runs-on: ubuntu-latest
       if: github.repository_owner == 'Acode-Foundation'
-      
+
+      permissions:
+#        contents write is needed to create Nightly Releases.
+        contents: write
+        issues: write
+        pull-requests: write
+
       outputs:
          release_output_url: ${{ steps.release.outputs.url }} 
          updated_version: ${{ steps.update-version.outputs.UPDATED_VERSION}} 

.github/workflows/on-demand-preview-releases-PR.yml

@@ -7,7 +7,7 @@ on:
 #      - '.github/**'
     types: [labeled, synchronize]
 
-
+# defined at workflow-level as the workflow, Requires these permissions to function.
 permissions:
   contents: write
   pull-requests: write
@@ -23,7 +23,8 @@ jobs:
   job_trigger:
     name: Trigger Preview Release (if conditions met)
     if: |
-        (github.repository_owner == 'Acode-Foundation'
+        github.event.pull_request.draft == false
+        && (github.repository_owner == 'Acode-Foundation'
         && (!contains(github.event.pull_request.labels.*.name, 'DO NOT PREVIEW RELEASE') 
         && (contains(github.event.pull_request.labels.*.name, 'Bypass check - PREVIEW RELEASE') 
         || contains(github.event.pull_request.labels.*.name, 'CI: RUN ON-DEMAND PREVIEW RELEASES')))