fix: add explicit permissions block to CI workflow

Add minimal permissions block to comply with GitHub security best practices.
The GITHUB_TOKEN now only has 'contents: read' permission, which is
sufficient for a CI workflow that only runs tests and builds.

This resolves the CodeQL alert: 'Workflow does not contain permissions'

See: https://docs.github.com/en/actions/security-guides/automatic-token-validation

Author: jkyberneees

.github/workflows/ci.yml

@@ -6,6 +6,11 @@ on:
   pull_request:
     branches: ["**"]
 
+# Minimum permissions required for CI workflow (secure by default).
+# See: https://docs.github.com/en/actions/security-guides/automatic-token-validation
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test