Add explicit read-only permissions to CI workflows

[arpitjain099]

Summary

• Add explicit permissions blocks with contents: read to 15 workflows that currently rely on default token scopes.
• Scope this PR to read-only workflows (tests, reporting, container build/test/republish orchestration, and Tour of Beam CI jobs).

Why

These workflows only need repository read access for checkout and CI execution. Explicit permissions harden GitHub Actions token usage and document intent.

Notes

• Intentionally excludes workflows that likely require write access for release/tag operations:
  • .github/workflows/build_release_candidate.yml
  • .github/workflows/git_tag_released_version.yml
• Also excludes .github/workflows/beam_Playground_Precommit.yml because it uses pull_request_target + custom setup logic that should be reviewed separately for least-privilege writes.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[github-actions]

Assigning reviewers:

R: @Abacn for label build.

Note: If you would like to opt out of this review, comment assign to next reviewer.

Available commands:

• stop reviewer notifications - opt out of the automated review tooling
• remind me after tests pass - tag the comment author after tests pass
• waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

[arpitjain099]

Hi @Amar3tto, gentle ping on this. PR has been open for 4 days without review. I noticed you've been on the recent-merger side of recent merges in this repo. When you have a moment, would you mind giving it a quick look? No urgency. Happy to address any feedback.

[damccorm]

I don't think this actually enhances our security and it has the potential to break things, so I'm -1 on taking it. I think the default settings are fine for most use workflows