Add explicit least-privilege permissions to read-only CI workflows

[arpitjain099]

What

Adds a workflow-level permissions: contents: read block to seven workflows that currently declare no permissions at all:

• build.yaml
• code-formatting-check.yaml
• docs.yaml
• local-development-makefile.yaml
• test.yaml
• typos.yaml
• version-checks.yaml

Why

All seven are pure CI workflows — build, format check, docs build, makefile compile, tests, typos spell check, and version consistency check. None push commits, create releases, comment on PRs, or call any GitHub API endpoint that needs write scopes. The GITHUB_TOKEN for these workflows only needs read access for the checkout step, so declaring contents: read at the workflow level documents the minimum scope and removes reliance on the repository default token permissions.

This matches the existing project pattern: workflows that need elevated scopes (cargo-audit.yaml, codeql.yaml, github-dependency-review.yaml, lint.yaml) already declare them at the job level. This PR fills the gap for the read-only workflows that were leaving scope implicit.

Verification

• YAML validity: python3 -c "import yaml; yaml.safe_load(open(...))" passes on each of the seven files.
• No change to jobs, steps, or matrix; only the workflow-level permissions: block is added.

Reference

• GitHub docs — Modifying the permissions for the GITHUB_TOKEN
• OpenSSF Scorecard — Token-Permissions check

[Copilot]

Pull request overview

This PR tightens GitHub Actions security by explicitly setting least-privilege GITHUB_TOKEN permissions (contents: read) for CI workflows that previously relied on the repository default token permissions.

Changes:

• Add workflow-level permissions: contents: read to 7 CI workflows to make read-only intent explicit.
• Align these workflows with the repo’s existing pattern of explicitly declaring permissions (especially for workflows that need elevated scopes).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/build.yaml	Adds explicit workflow-level contents: read token permissions.
.github/workflows/code-formatting-check.yaml	Adds explicit workflow-level contents: read token permissions.
.github/workflows/docs.yaml	Adds explicit workflow-level contents: read token permissions.
.github/workflows/local-development-makefile.yaml	Adds explicit workflow-level contents: read token permissions.
.github/workflows/test.yaml	Adds explicit workflow-level contents: read token permissions.
.github/workflows/typos.yaml	Adds explicit workflow-level contents: read token permissions.
.github/workflows/version-checks.yaml	Adds explicit workflow-level contents: read token permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.69%. Comparing base (ebc705a) to head (45fcee0).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #657   +/-   ##
=======================================
  Coverage   78.69%   78.69%           
=======================================
  Files          25       25           
  Lines        5234     5234           
  Branches     5234     5234           
=======================================
  Hits         4119     4119           
  Misses        995      995           
  Partials      120      120           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.