ci: declare contents:read on test-codex-build workflow

[arpitjain099]

Adds a workflow-level permissions: contents: read block. The job here only checks out the repository and runs its tests / validation; no GitHub API call beyond the initial checkout is needed.

CVE-2025-30066 (the March 2025 tj-actions/changed-files supply-chain compromise) is the canonical motivation: a tampered third-party action exfiltrated GITHUB_TOKEN from workflow logs and the leaked token retained whatever scope was issued at the workflow level. Per-workflow caps bound that runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and register with OpenSSF Scorecard's Token-Permissions check (which only credits explicit per-workflow declarations).

YAML validated locally with yaml.safe_load.

[cla-checker-service]

💚 CLA has been signed

[arpitjain099]

The check-labels job is failing because the PR is missing one of the required labels and external contributors can't apply labels themselves. Could a maintainer apply chore (or whichever of automation, changelog:skip, ci fits your conventions better)? CLA is now signed. Happy to amend the title or body if a particular label needs that first.

cc @cotti / @reakaleek / @theletterf, looks like you've been on the recent merge flow here.

[reakaleek]

Thank you @arpitjain099 for making our workflows safer.