feat: add explicit permissions to GitHub workflows

[Copilot]

Context

GitHub Actions workflows lacked explicit permission declarations, relying on default token permissions. This violates the principle of least privilege and GitHub's security best practices.

Related Jira ticket

Screenshots

Changes

• ci.yml: Added permissions: contents: read for read-only access during PR checks (lint, type-check, test)
• release.yml: Already configured correctly with contents: read and id-token: write

# ci.yml
on:
  pull_request:

permissions:
  contents: read  # Read-only access for checkout and validation

This ensures workflows operate with minimum required permissions, preventing accidental privilege escalation.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>add explicit permisions to GH workflows</issue_title>
<issue_description></issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes add explicit permisions to GH workflows #205

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR enhances GitHub Actions security by adding explicit permission declarations to the CI workflow, following the principle of least privilege and GitHub's security best practices.

Changes:

• Added permissions: contents: read to the CI workflow for read-only access during PR validation checks (lint, type-check, test)