ci: declare read-all permissions on build-test workflow

The build-test workflow has two jobs:

  gen-matrix    -- actions/checkout + tj-actions/changed-files +
                   actions/github-script to compute the matrix from the
                   PR diff. No GitHub API write.
  build         -- actions/checkout + docker/build-push-action with
                   `push: false, load: true`, then docker run/test.
                   No GitHub API write, no registry push.

`permissions: read-all` at workflow scope matches the shorthand
scorecard.yml already uses, and brings build-test in line with the
per-job blocks declared by official-pr.yml, missing-checksum.yml,
shfmt.yml, doctoc.yml, eclint.yml, automatic-updates.yml, and
markdown-link-check.yml.

Note: this workflow uses tj-actions/changed-files, the action behind
CVE-2025-30066 (the March-2025 supply-chain attack). The compromised
release exfiltrated the runner's GITHUB_TOKEN through workflow logs;
the downstream blast radius scaled with whatever scope the token had
been issued at. Pinning the workflow to read-only bounds that radius.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/build-test.yml

@@ -15,6 +15,8 @@ on:
       - genMatrix.js
       - ".github/workflows/build-test.yml"
 
+permissions: read-all
+
 jobs:
   gen-matrix:
     name: generate-matrix