GitHub automatically creates an API token with write permissions to all data of the repository. See https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token#about-the-github_token-secret
However, for many uses of GitHub Actions, a mostly read-only token is sufficient and desired for security purposes. For example a CI would need read-only permission and the only write permission is used to change the status of a Check after the build has been run.
So is there any way to limit the permissions of GitHub Actions, to limit the potential damage that it can do?