Add explicit permissions to draft-pdf workflow

Addresses CodeQL security alert: restrict GITHUB_TOKEN to read-only
contents access following least-privilege principle.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: TomeHirata

.github/workflows/draft-pdf.yml

@@ -1,5 +1,8 @@
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   paper:
     runs-on: ubuntu-latest