Harden GitHub Actions Workflow Permissions

[begonaguereca]

What's changing?

This PR updates the CI workflow to explicitly define permissions in accordance with GitHub security best practices and to resolve the actions/missing-workflow-permissions CodeQL alert.

• Added top-level permissions: contents: read to enforce least-privilege by default.
• Scoped contents: write to the publish job only (required for release creation).
• Preserved checks: write and pull-requests: write permissions for the unit-test job to support publishing test results.

How's this tested?

Closes https://github.com/github/gh-actions-importer/security/code-scanning/3

[Copilot]

Pull Request Overview

This PR tightens workflow security by explicitly setting least-privilege permissions and scoping write access only where needed.

• Adds a top-level permissions: contents: read to enforce default read-only access.
• Grants contents: write specifically to the publish job.

[github-actions]

Unit Test Results

42 tests  ±0   42 ✅ ±0   0s ⏱️ ±0s
 1 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 41dfffd. ± Comparison against base commit 6f6c943.

♻️ This comment has been updated with latest results.

[offbyone]

Based on the CI errors, there are dotnet version issues with the existing tools. I seem to recall we may have had a platform upgrade to dotnet recently, based on a PR in gh-gei. Is that related to the CI issues here?

[begonaguereca]

@offbyone ya we will need to tackle the dotnet upgrade next, fixed our CI issues here: #335

CI is green after more than a year!