security: harden GitHub Actions workflow permissions

[matthiasbruns]

What this PR does / why we need it

Hardens GitHub Actions workflow permissions to follow the principle of least privilege, addressing two security findings:

1. Remove unused pull-requests: write from check-manifest-generation-diff.yaml — this workflow only runs git diff and never writes to a PR, so the permission was excessive.

2. Add top-level permissions: {} to release.yaml, codeql.yml, and trigger-blackduck-scan.yaml — without a top-level block, any job added in the future without its own permissions entry would silently inherit the repository default (typically write-all). All existing job-level permissions are unchanged and workflows remain fully functional.

Which issue(s) this PR fixes

No linked issue — addresses security findings reported externally.

Testing

How to test the changes

No functional changes. Verify workflows trigger and complete as normal after merge.

Verification

• I have added/updated tests for my changes (see Test Requirements)
• Tests pass locally (task test and task test/integration if applicable)
• If touching multiple modules, go work is enabled (see go.work)
• My changes do not decrease test coverage
• I have tested the changes locally by running ocm