Add docs on resolving CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"

[JoshuaKGoldberg]

Coming over from eslint/eslint#19356: debugging a the CHKV2_GHA_1 message:

.github/workflows/stale.yml:15:1
 15:1  high  Ensure top-level permissions are not set to write-all  checkov/CKV2_GHA_1

There isn't much documentation on the check that I could find. From https://www.checkov.io/5.Policy%20Index/github_actions.html:

CKV2_GHA_1 | resource | permissions | Ensure top-level permissions are not set to write-all | github_actions | ReadOnlyTopLevelPermissions.yaml

...but that's it, seemingly, on checkov.io?

Request: for at least this rule -and ideally all of the GHA checks-, could the site include an explainer with multi-sentence descriptions of:

• What the rule checks for
• Why it checks for that
• How to resolve its reports

For reference, the ESLint and typescript-eslint docs tend to do this:

• https://eslint.org/docs/latest/rules/for-direction
• https://typescript-eslint.io/rules/await-thenable

Note that this is related to #4127. I filed a new issue here because that one has a lot of comments and seems to be user questions focused on understanding the issue, not a docs request.