ci: scopedown GitHub token

[AdnaneKhan]

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[liwadman]

Hey Adnan, thank you for your submission.

I have no concerns on the modification for notifier task as it's pretty uninteresting and benign, but I've forwarded this to my colleague who is more familiar with our repo sync setup to understand the specifics of what we're doing with that and the implications of being more explicit with the permissions and to do some testing.

[AdnaneKhan]

Hey Adnan, thank you for your submission.

I have no concerns on the modification for notifier task as it's pretty uninteresting and benign, but I've forwarded this to my colleague who is more familiar with our repo sync setup to understand the specifics of what we're doing with that and the implications of being more explicit with the permissions and to do some testing.

Thanks! Based on the workflow if it still uses the PAT then no permissions are needed (as it uses the PAT for auth). If using the GitHub token it'll need contents: write + pull-requests: write (if it is making a PR on this repo - if making a PR on another repo it will always need the PAT).