ci: add top-level permissions to CI workflow for least-privilege security

[mr-raj12]

The CI workflow (ci.yml) does not set a top-level permissions: block. Without one, all jobs without explicit job-level permissions inherit the default GITHUB_TOKEN permissions — which on push events includes write access to contents, packages, deployments, etc.

Proposed fix: Add a top-level permissions: contents: read to restrict the default token to read-only. Jobs that need elevated permissions
(native_tests, vm_tests) already have job-level overrides and are unaffected.

This follows the GitHub-recommended least-privilege principle for workflow tokens.

Jobs affected (gain explicit read-only restriction):

• lint — only uses actions/checkout + ruff
• security — only uses actions/checkout + bandit
• asan_ubsan — only uses actions/checkout + build + test
• windows_tests — uses actions/checkout + build + test + upload-artifact (upload-artifact uses internal Actions API, not GITHUB_TOKEN)

Jobs unaffected (already have job-level permissions):

• native_tests — contents: read, id-token: write, attestations: write
• vm_tests — contents: read, id-token: write, attestations: write