Add explicit workflow write permissions for GITHUB_TOKEN (#6930)

## Summary
- add explicit `contents: write` and `pull-requests: write` permissions
to `update-kube-stack-version.yml`
- add explicit `issues: write` permissions to `add-new-team-label.yml`
- keep both workflows compatible with a read-only default `GITHUB_TOKEN`

## Test plan
- [x] Reviewed both workflows to confirm they write through
`GITHUB_TOKEN`
- [x] Verified the diff only adds the required explicit permissions
- [ ] Optional: run the workflows in GitHub after merge or in a test
branch if you want runtime confirmation

Made with [Cursor](https://cursor.com)

---------

Co-authored-by: OpenAI <noreply@openai.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 3 people

.github/workflows/add-new-team-label.yml

@@ -4,10 +4,14 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
+
 jobs:
   add-needs-triage-label:
     name: Add `needs-team` label
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Add the needs-team label
         uses: actions-ecosystem/action-add-labels@v1

.github/workflows/update-kube-stack-version.yml

@@ -12,9 +12,14 @@ on:
         default: false
         type: boolean
 
+permissions: {}
+
 jobs:
   update-kube-stack-version:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
 
     steps:
     - name: Checkout repository