ci: declare contents:read on test-docs-builder-setup workflow

[arpitjain099]

Adds a workflow-level permissions: contents: read block. The job here only checks out the repository and runs its tests / validation; no GitHub API call beyond the initial checkout is needed.

CVE-2025-30066 (the March 2025 tj-actions/changed-files supply-chain compromise) is the canonical motivation: a tampered third-party action exfiltrated GITHUB_TOKEN from workflow logs and the leaked token retained whatever scope was issued at the workflow level. Per-workflow caps bound that runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and register with OpenSSF Scorecard's Token-Permissions check (which only credits explicit per-workflow declarations).

YAML validated locally with yaml.safe_load.

[github-actions]

Label error. Requires exactly 1 of: automation, breaking, bug, changelog:skip, chore, ci, dependencies, documentation, enhancement, feature, fix. Found:

[arpitjain099]

The check-labels job is failing because the PR is missing a required label and external contributors can't add them themselves. Could a maintainer apply chore (or whichever of automation, changelog:skip, or ci fits your conventions better)? Happy to amend the PR body or title if the right label needs that first.

[arpitjain099]

Friendly bump on this. The PR is blocked on a maintainer applying one of the required labels (automation, breaking, bug, changelog:skip, chore, ci, dependencies, documentation, enhancement, feature, fix). chore would be the right fit for this CI hygiene change.

cc @cotti / @reakaleek / @theletterf, posting since you've been on the recent merge flow.