Fix actionlint ShellCheck finding in reports workflow

[coisa]

Context

Local workflow validation with actionlint now reports one issue in the repository workflows. The same validation was also run against the packaged consumer workflow wrappers under resources/github-actions/*.yml, and no additional issues were reported there.

Command used:

actionlint .github/workflows/*.yml resources/github-actions/*.yml

Current output:

.github/workflows/reports.yml:97:15: shellcheck reported issue in this script: SC2162:info:1:46: read without -r will mangle backslashes [shellcheck]
   |
97 |               run: |
   |               ^~~~

The affected block pipes chmod -c -R +rX "${REPORTS_TARGET}/" into while read line; do ... done. ShellCheck warns that read without -r can mangle backslashes, which can produce misleading warning messages for paths containing backslashes or escaped content.

Expected change

Update the reports workflow permission-fix loop to use a shell-safe read pattern, for example while IFS= read -r line; do, and validate the workflow again with actionlint.

Acceptance criteria

• .github/workflows/reports.yml uses read -r with an explicit IFS= in the permission-fix loop.
• actionlint .github/workflows/*.yml resources/github-actions/*.yml exits successfully.
• The change preserves the existing warning annotation behavior for each permission line emitted by chmod -c.
• If the packaged reports wrapper needs an equivalent update, it is kept aligned with the canonical workflow.

Non-goals

• Do not change the reports publication flow beyond the shell lint fix.
• Do not introduce a new workflow validation tool in CI as part of this fix; this issue is only for the current actionlint finding.