[CI] Set permissions for GitHub Actions

[joycebrum]

Summary of changes

• Add top level permissions as contents: read
• Add run level permission of main.yml as contents: write

I've tested both actions

ci-sage.yml

• https://github.com/joycebrum/setuptools/actions/runs/4196423842 on workflow dispatch - OK!
• https://github.com/joycebrum/setuptools/actions/runs/4197089106 on tag pushed - OK!

main.yml

• https://github.com/joycebrum/setuptools/actions/runs/4196611545 on push - OK with release skiped.
• https://github.com/joycebrum/setuptools/actions/runs/4197089043 on tag pushed - error cannot push to pypi

I tried to make main.yml work but I think it is not an error related to GITHUB_TOKEN permissions since it had contents: write permission. I've concluded it was related to access to pypi and, being it, it makes total sense that the action failed. Let me know if I get it wrong or if there is any more test I can do.

Closes #3830

Pull Request Checklist

• Changes have tests
• News fragment added in changelog.d/.
  (See documentation for details)

[abravalheri]

Thank you very much @joycebrum, that looks good.
Let's see what is the review in jaraco/skeleton

[jaraco]

After merging with main (and resolving that the conflicts that weren't caught by git), this change only applies to ci-sage.yml.