ci: declare workflow-level contents: read on ci and lint

Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/ci.yml

@@ -5,6 +5,9 @@ on: [pull_request, push, workflow_dispatch]
 env:
   FORCE_COLOR: 1
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Check build, markup, and links

.github/workflows/lint.yml

@@ -2,6 +2,9 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest