tech(ci): harden github actions workflows

[mkappworks]

Summary

Defense-in-depth hardening of the GitHub Actions workflows. No pull_request_target or other RCE-class issues were found — this is preventative tightening of the two next-most-material weaknesses: missing explicit GITHUB_TOKEN scope on the PR-triggered workflows, and a mutable-tag-pinned third-party action in the only job that runs with secrets.

Changes

• Add permissions: contents: read to ci.yml and build.yml so the GITHUB_TOKEN cap on pull_request runs is minimal regardless of repo-level defaults
• SHA-pin softprops/action-gh-release in build-and-publish.yml (@v2 → @b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0); this is the only third-party action that runs in a job with secrets (MACOS_CERTIFICATE, APPLE_ID_PASSWORD, etc.), so an upstream tag-move can't silently flow into the release pipeline. Trailing version comment keeps Dependabot/Renovate bumps visible
• The v2 → v3 jump is a Node 20 → Node 24 runtime swap only (verified against the upstream diff); no action input/output API changes

Type of change

• Refactor / internal improvement

Checklist

• flutter analyze passes with no issues — N/A, workflow YAML only
• dart format lib/ test/ applied — N/A, no Dart changes
• flutter test passes — N/A, no Dart changes
• If Drift tables or Riverpod providers were changed, build_runner was re-run and generated files are committed — N/A
• PR is focused on a single concern