fix(security): move GHA permissions to job level (SonarCloud S8264)

Author: dcyfr

.github/workflows/ci.yml

@@ -6,13 +6,14 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     continue-on-error: true  # Allow migration to proceed
     steps:
       - uses: actions/checkout@v4
@@ -26,6 +27,8 @@ jobs:
   typecheck:
     name: Type Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     continue-on-error: true  # Allow migration to proceed
     steps:
       - uses: actions/checkout@v4
@@ -39,6 +42,8 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     continue-on-error: true  # Allow migration to proceed
     strategy:
       matrix:
@@ -61,6 +66,8 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4