chore: add permissions section to workflow YAML files

[ArthurTonial]

Disclaimer: Do not include SAP-internal or customer-specific information in this PR (e.g. internal system URLs, customer names, tenant IDs, or confidential configurations). This is a public repository.

Description

Add explicit permissions: blocks to all GitHub Actions workflows that were missing them, following the principle of least privilege for GITHUB_TOKEN.

Each workflow was audited for write-access requirements:

• check-version-bump.yaml, commit-validation.yaml, proto-verify.yaml, release-internal.yml, reuse.yaml — read-only operations only; set to contents: read
• sync.yaml — performs git push to the internal mirror repository using GITHUB_TOKEN as a fallback; set to contents: write

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Code refactoring
• Dependency update

How to Test

1. Merge this PR
2. Trigger any of the affected workflows (e.g. open a pull request against main to run check-version-bump, commit-validation, proto-verify, release-internal, reuse)
3. Verify all workflows complete successfully — no permission-denied errors
4. After merge, go to Repository → Settings → Actions → General → Workflow permissions and switch to "Read repository contents and packages permissions"
5. Re-trigger the workflows and confirm they still pass

Checklist

• I have read the Contributing Guidelines
• I have verified that my changes solve the issue
• I have added/updated automated tests to cover my changes
• All tests pass locally
• I have verified that my code follows the Code Guidelines
• I have updated documentation (if applicable)
• I have added type hints for all public APIs
• My code does not contain sensitive information (credentials, tokens, etc.)
• I have followed Conventional Commits for commit messages

Additional Notes

This is a CI-only change with no impact on the published package or its public API. The version bump to 0.19.1 reflects the infrastructure maintenance.

After this PR is merged, the final step (switching the repo default to read-only) must be done manually in GitHub repository settings by an administrator.