Drop GitHub token permissions on deploy jobs

Deploy jobs only curl an external updater URL and need no GitHub API
access. Without an explicit permissions block they inherit the workflow
default, which may include contents:write, packages:write, etc.
Setting permissions to {} limits the blast radius if a job is
compromised.

Author: paskal

.github/workflows/ci-site.yml

@@ -135,6 +135,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: merge
     if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+    permissions: {} # only calls an external URL via curl, no GitHub API access needed
 
     steps:
       - name: trigger deployment

.github/workflows/docker.yml

@@ -206,6 +206,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: merge
     if: github.event.workflow_run.head_branch == 'master'
+    permissions: {} # only calls an external URL via curl, no GitHub API access needed
 
     steps:
       - name: trigger deployment