Add support for permissions.secrets so actions can write secrets

[iansan5653]

Actions can already read secrets if they are within the current scope, but there are some instances where a secret could be more dynamic than a long-lived static value. For example, a token might need to be rolled every so often. This could be performed automatically by a Workflow, but the default GITHUB_TOKEN cannot be scoped to manage secrets.

This type of task can still be accomplished by providing a PAT with the correct access, but this is not ideal:

• It's annoying to create a new secret just for managing secrets
• PATs also have to be rolled every so often, so it's not really solving the core problem
• It's easy to accidentally create a PAT that has access to every secret in every repo, which is dangerous

[sinedied]

What I don't understand, is that the contents permission should encompass the secrets permission, according to https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents, but in practice it doesn't work.

So yes, having the possibility to set permission to write secrets in a workflow would be helpful!