Add explicit permissions to all GitHub Actions workflows

[Copilot]

GitHub Actions workflows were missing explicit permissions declarations, leaving them with overly broad default token permissions — a security risk flagged by 23 code scanning alerts.

Changes

• Workflow-level permissions: contents: read added to ci.yml, release.yml, rebase.yml — establishes least-privilege baseline for all jobs
• Job-level permission overrides where elevated access is required:
  • ci.yml → coverage-report job: checks: write, pull-requests: write
  • release.yml → package job: contents: write (release asset upload)
  • rebase.yml → rebase job: contents: write, pull-requests: write
  • stale.yml → stale job: issues: write, pull-requests: write
  • update-news-www.yml → UpdateNewsOnWebsite job: contents: write
  • zap_scan.yml → zap_scan job: contents: read
• Workflow-level contents: write for workflows that commit back to repos: lint-fixer.yml, update-challenges-ebook.yml, update-challenges-www.yml

Potential fix for alerts

• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions
• Workflow does not contain permissions

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.