Make it so pull requests from outside contributors can't edit workflows under .github/workflows/ without approval. Also limit workflows to the minimum permissions necessary.
