Add explicit minimal permissions to GitHub Actions workflows

[Copilot]

Problem

Security scans identified three GitHub Actions workflows missing explicit permission declarations (issues #6, #5, and #3). When workflows lack explicit permissions, they inherit repository or organization-level permissions, which may grant excessive access that violates the principle of least privilege.

Solution

Added explicit minimal permissions to all workflow jobs following GitHub's security best practices:

.github/workflows/release.yml

• build job: Added contents: read (for code checkout) and id-token: write (for Azure OIDC authentication)
• publish job: Added contents: read (for artifact operations)

.github/workflows/pull-request.yml

• build job: Added contents: read (for code checkout)

Impact

• ✅ Eliminates security vulnerabilities by restricting workflow permissions to the minimum required
• ✅ Maintains full functionality - all workflows continue to work as expected
• ✅ Release workflow can still publish to npm and Azure Storage (uses external secrets, not GitHub permissions)
• ✅ No changes to workflow behavior or outputs

These changes ensure our workflows follow security best practices while maintaining all existing functionality.

Fixes #6, #5, #3

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Workflow does not contain permissions</issue_title>
<issue_description># Problem

Security scan complains about workfflow github missing permissions

issue 1 : https://github.com/microsoft/omnichannel-amsclient/security/code-scanning/6
component : .github/workflows/release.yml:23

issue 2 : https://github.com/microsoft/omnichannel-amsclient/security/code-scanning/5
component : .github/workflows/release.yml:77

issue 3 : https://github.com/microsoft/omnichannel-amsclient/security/code-scanning/3
component : .github/workflows/pull-request.yml:10

Error
If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the write permission only to a specific types as issues: write or pull-requests: write.

Expected
Add changes that meet the criteria, without messing wiith functionality, release.yaml should be able to publish</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #61

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.