fix(ci): narrow workflow permissions to least privilege

[shaanmajid]

Summary

Fixes the excessive-permissions findings flagged by zizmor (#10618) and removes the .github/zizmor.yml suppression that was deferring this work.

release-branch.yml: moves contents: write and pull-requests: write from workflow-level down to the bump-version-and-create-pr job, which is the only job that creates commits and opens a PR. The test and smoke test jobs now inherit only contents: read.

run-ci.yml: removes security-events: write from workflow-level. dependency-review-action only requires contents: read.

---

Summary by cubic

Narrowed GitHub Actions permissions to least privilege to resolve zizmor excessive-permissions findings and remove the suppression. CI behavior stays the same; only the bump job has write access.

• Description

  • release-branch.yml: default contents: read; grant contents: write and pull-requests: write only to bump-version-and-create-pr. Other jobs inherit read-only.
  • run-ci.yml: removed security-events: write; dependency-review-action runs with contents: read.
  • Removed .github/zizmor.yml suppression for excessive-permissions.

• Testing

  • No code tests changed; workflows validated via CI runs.
  • Verified bump job can push commits and open a PR; dependency review still runs.

^{Written for commit 0bd3a67. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[shaanmajid]

CI failure looks to be just a flaky test but can't rerun to verify.

[jasonsaayman]

thanks for all the help 🔥