ci: declare workflow-level contents: read on 6 workflows (#1960)

Summary:
Pins the default `GITHUB_TOKEN` to `contents: read` on 6 workflows in `.github/workflows/` that don't call a GitHub API beyond the initial checkout.

## Why

CVE-2025-30066 (March 2025 `tj-actions/changed-files` supply-chain compromise) exfiltrated `GITHUB_TOKEN` from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard `Token-Permissions` check.

YAML validated locally with `yaml.safe_load` on each touched file.

Pull Request resolved: #1960

Reviewed By: cortinico

Differential Revision: D105338326

Pulled By: CalixTang

fbshipit-source-id: e2b71c4db5c48a6161ceefdfbd65f5d58d067474

Author: arpitjain099

.github/workflows/validate-android.yml

@@ -8,6 +8,9 @@ on:
       - 'release-*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build [${{ matrix.os }}][${{ matrix.mode }}]

.github/workflows/validate-cpp.yml

@@ -11,6 +11,9 @@ on:
 env:
   GTEST_COLOR: 1
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Build and Test [${{ matrix.toolchain }}][${{ matrix.mode }}]

.github/workflows/validate-js.yml

@@ -11,6 +11,9 @@ on:
 env:
   FORCE_COLOR: 3
 
+permissions:
+  contents: read
+
 jobs:
   benchmark:
     name: Benchmark [${{ matrix.os }}]

.github/workflows/validate-swiftpm.yml

@@ -8,6 +8,9 @@ on:
       - 'release-*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Build

.github/workflows/validate-tests.yml

@@ -7,6 +7,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate

.github/workflows/validate-website.yml

@@ -9,6 +9,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build_next:
     name: Build