Scope `GITHUB_TOKEN` permissions (#4084)

## Description
This PR does a few things related to scoping our tokens:
* Add a `- uses: GitHubSecurityLab/actions-permissions/monitor@v1` to
most of our actions so we can get ongoing summaries of the permissions
each action is using. Some actions, like Windows tests and the TLS
tests, are excluded because they are not supported or the proxy it uses
breaks the test.
* Add explicit `permissions` scoping to various jobs that need it.
* Although not part of the PR I have changed our Workflow Permissions
(in Settings > Actions > General > Workflow Permissions) from defaulting
to Read/Write to Read Only.


## Testing
<!--- Please describe in detail how you tested your changes -->
<!--- Include details of your testing environment, and the tests you ran
to -->
<!--- see how your change affects other areas of the code, etc. -->
* The CI for this PR ran successfully (except the Canary, but that
appears to be an issue unrelated to this PR)
* A dry-run release using the workflows from this branch succeeded
https://github.com/smithy-lang/smithy-rs/actions/runs/14275005243
* Various other manually runnable actions tested against this branch:
* Daily credentials verification:
https://github.com/smithy-lang/smithy-rs/actions/runs/14288824835
* Update lockfiles:
https://github.com/smithy-lang/smithy-rs/actions/runs/14288809742
* Invoke canary (failed but not for permissions reasons):
https://github.com/smithy-lang/smithy-rs/actions/runs/14288631692

**Note:** I did not test the prod release workflow for obvious reasons.
It might need permissions added next time it is invoked. I will cut a
release as a follow up to this PR to see if anything needs updating

## Checklist

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._