Specify default permissions, other security for "Update Label Directory" & "Flag Issues Unlabeled..." workflows

[t-will-gillis]

Fixes #8587

What changes did you make?

• in flag-issues-unlabeled-after-deletion.yml added default permissions block
• in update-label-directory.yml added default permissions block
• replaced hard-coded url to the Google Apps spreadsheet with a secret. Note that I already saved the existing URL as a secret.

Why did you make the changes (we will use this info to test)?

• Permissions blocks added to limit default permissions to only what is needed
• The hard-coded URL, though not inherently insecure, does not need to be exposed. It also will be easier to update the secret url without committing new code. After this PR is merged, we will need to update the Apps Script and save the updated URL as good practice.

CodeQL Alerts

After the PR has been submitted and the resulting GitHub actions/checks have been completed, developers should check the PR for CodeQL alert annotations.

Check the PR's comments. If present on your PR, the CodeQL alert looks similar as shown

Please let us know that you have checked for CodeQL alerts. Please do not dismiss alerts.

• I have checked this PR for CodeQL alerts and none were found.
• I found CodeQL alert(s), and (select one):
  • I have resolved the CodeQL alert(s) as noted
  • I believe the CodeQL alert(s) is a false positive (Merge Team will evaluate)
  • I have followed the Instructions below, but I am still stuck (Merge Team will evaluate)

Instructions for resolving CodeQL alerts

If CodeQL alert/annotations appear, refer to How to Resolve CodeQL alerts.

In general, CodeQL alerts should be resolved prior to PR reviews and merging

Screenshots of Proposed Changes To The Website (if any, please do not include screenshots of code changes)

• no visual changes
• Test log showing that the automation runs both with default permissions specified and the "secret" URL.
• Second test log showing automation running after label is deleted.

[github-actions]

Want to review this pull request? Take a look at this documentation for a step by step guide!

---

From your project repository, check out a new branch and test the changes.

git checkout -b t-will-gillis-specify-default-update-label-8587 gh-pages
git pull https://github.com/t-will-gillis/website.git specify-default-update-label-8587