ci: declare workflow-level contents: read on 3 workflows

Pins the default GITHUB_TOKEN to contents: read on workflows that don't
call a GitHub API beyond the initial checkout. Other workflows that need
write scopes are left implicit for a maintainer to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection, and are credited per-file by the OpenSSF
Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/test-long-all.yml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 11 * * *"  # 11 UTC, everyday
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: ${{ matrix.os }} ${{ matrix.version }} ${{ matrix.go }}

.github/workflows/test-long.yml

@@ -2,6 +2,9 @@ name: Long Tests
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: ${{ matrix.os }} ${{ matrix.version }} ${{ matrix.go }}

.github/workflows/test-smoke.yml

@@ -2,6 +2,9 @@ name: Smoke Tests
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: ${{ matrix.os }} ${{ matrix.version }}