ci: declare workflow-level contents: read on 3 workflows

Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/nightly.yml

@@ -15,6 +15,9 @@ env:
   # CHC_VERSION: "0.9.0"
   CH_VERSION: "25.3"
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
     if: ${{ startsWith(github.repository, 'ClickHouse/') }}

.github/workflows/run_examples.yml

@@ -22,6 +22,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
 
 jobs:
   run-examples-with-8-jdk-and-latest:

.github/workflows/test_head.yml

@@ -19,6 +19,9 @@ concurrency:
 env:
   CH_VERSION: "head"
 
+permissions:
+  contents: read
+
 jobs:
   test-java-client:
     runs-on: ubuntu-latest