GitHub Workflows security hardening (#5992)

* build: harden update-changelog.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden tests.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>

* Update update-changelog.yml

* Update tests.yml

Co-authored-by: Dries Vints <dries@vints.io>

.github/workflows/tests.yml

@@ -1,6 +1,14 @@
 name: Tests
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - master
+      - '*.x'
+  pull_request:
+
+permissions:
+  contents: read
 
 jobs:
   tests:

.github/workflows/update-changelog.yml

@@ -4,6 +4,10 @@ on:
   release:
     types: [released]
 
+permissions: {}
+
 jobs:
   update:
+    permissions:
+      contents: write
     uses: laravel/.github/.github/workflows/update-changelog.yml@main