Add explicit permissions blocks to CI workflows

Limit GITHUB_TOKEN permissions to contents:read by default, as
recommended by GitHub's security scanner. The create-release job
overrides this with contents:write as needed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: lukewilliamboswell

.github/workflows/ci.yml

@@ -9,6 +9,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Limit permissions of the GITHUB_TOKEN
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     name: test (${{ matrix.os }})

.github/workflows/release.yml

@@ -14,6 +14,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Limit permissions of the GITHUB_TOKEN (override at job level as needed)
+permissions:
+  contents: read
+
 jobs:
   build-and-bundle:
     name: Build and Bundle Platform