Tighten CI permissions, lock down tokens, and reduce supply-chain risk with a few high-impact settings.
