ci: add minimal permissions to GitHub Actions workflows

[tiran]

Pull Request Description

What

Add top-level permissions: contents: read to all three workflows (test, check, python-publish) to follow the GitHub security hardening recommendation of least-privilege token permissions. The publish workflow's existing job-level id-token: write override remains intact for trusted publishing.

Why

See: #1008

• PR follows CONTRIBUTING.md guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bf1d321e-87f9-4dfd-a3d3-3b1f44f8d085

📥 Commits

Reviewing files that changed from the base of the PR and between 396fbe4 and 2e9f9b8.

📒 Files selected for processing (3)

• .github/workflows/check.yaml
• .github/workflows/python-publish.yaml
• .github/workflows/test.yaml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/test.yaml
• .github/workflows/check.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/python-publish.yaml

---

📝 Walkthrough

Walkthrough

Added top-level permissions blocks to three GitHub Actions workflows: .github/workflows/check.yaml, .github/workflows/test.yaml, and .github/workflows/python-publish.yaml, each setting the default GITHUB_TOKEN scope to contents: read. Additionally, in python-publish.yaml the build-n-publish job-level permissions were extended to include contents: read alongside the existing id-token: write. No triggers, jobs, job-level if conditions, steps, or run commands were changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding minimal permissions to GitHub Actions workflows across all three workflow files.
Description check	✅ Passed	The description directly relates to the changeset, explaining what permissions are being added and why (least-privilege principle per GitHub security guidance), with reference to issue #1008.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/python-publish.yaml:
- Around line 9-11: The job-level permissions for the build-n-publish job
currently only set id-token: write which overrides the workflow-level
permissions and leaves contents as none; update the build-n-publish job
permissions to include contents: read so the actions/checkout step can access
the repository (i.e., add contents: read alongside id-token: write in the job
permissions block for the build-n-publish job).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6cd0b6e7-80bc-45d5-a29e-cf66955af8ab

📥 Commits

Reviewing files that changed from the base of the PR and between 3072a0c and 396fbe4.

📒 Files selected for processing (3)

• .github/workflows/check.yaml
• .github/workflows/python-publish.yaml
• .github/workflows/test.yaml

[mprpic]

LGTM!

[rd4398]

This looks good! Thank you!