fix(ci): add missing workflow permissions to resolve security alerts (#646)

Co-authored-by: Claude <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -11,6 +11,10 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   setup:
     strategy:

.github/workflows/ci@main.yml

@@ -12,6 +12,10 @@ on:
       - 'rush.json'
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:

.github/workflows/common-pr-checks.yml

@@ -9,6 +9,9 @@ on:
       - 'rush.json'
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   common-checks:
     name: PR Common Checks

.github/workflows/idl.yaml

@@ -12,6 +12,9 @@ on:
       - 'idl/**'
       - '.github/workflows/idl.yaml'
 
+permissions:
+  contents: read
+
 jobs:
   validate-thrift:
     runs-on: ubuntu-latest

.github/workflows/license-check.yaml

@@ -7,6 +7,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     name: License Check

.github/workflows/semantic-pull-request.yaml

@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }}
   cancel-in-progress: true
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Check Pull Request Title