[DevOps:CI] Add top-level permissions to CI workflows for least-privilege security

[Ash092016]

What problem are you trying to solve with Submitty
The CI workflows (primarily ci.yml) do not set a top-level permissions: block. Without one, all jobs without explicit job-level permissions inherit the default GITHUB_TOKEN permissions — which on push events includes write access to contents, packages, deployments, etc. This violates the GitHub-recommended least-privilege principle for workflow tokens and increases the blast radius if a dependency or action is compromised.

Describe the way you'd like to solve this problem
Add a top-level permissions: contents: read block to ci.yml (and other workflows that lack it) to restrict the default token to read-only. Jobs that need elevated permissions can get job-level overrides.

Affected Workflows:

• ci.yml All 17 jobs (lint, unit tests, Cypress, DB check, Integration, Ansible) only need contents: read for actions/checkout. Codecov uses its own CODECOV_TOKEN, and upload-artifact works with read-only permissions.
• documentation_check.yml Only checks PR title; read-only is sufficient.
• notify_issues.yml / notify_main_fail.yml Only use curl with Zulip secrets; don't use GITHUB_TOKEN at all.
• bump_repo.yml Uses a separate SUBMITTYBOT_DEPENDENCY_TOKEN for PR creation.
• localization_up.yml Uses SUBMITTYBOT_DEPENDENCY_TOKEN for dispatch.
• move_to_in_review.yml / sort_draft_prs.yml Use GitHub App tokens, not GITHUB_TOKEN.

Proposed Change (example for ci.yml):

on:
  push:
    branches:
      - main
  pull_request:
  workflow_dispatch:

permissions:
  contents: read    # <-- ADD THIS

env:
  PGPASSWORD: submitty_dbuser