Potential fix for https://github.com/green-code-initiative/creedengo-python/security/code-scanning/2

In general, the fix is to define an explicit permissions block for the workflow or for the specific job so that the GITHUB_TOKEN has only the minimal scopes required. For a stale‑labeling workflow, that typically means read access to contents plus write access to pull requests (for labels and comments). We do not need broad contents: write or issues: write here, since the job only operates on pull requests.

For this specific file, the least intrusive, functionality‑preserving change is to add a permissions section under the stale job (indented to align with runs-on). We will set:

• contents: read so the action can read repository data if needed.
• pull-requests: write so it can label and comment on PRs.

We keep all existing keys and values unchanged. The new lines will go directly between runs-on: ubuntu-latest (line 9) and steps: (line 10) in .github/workflows/stale_tag.yml. No imports or additional definitions are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.