Add contents: read to base-OS and ubuntu-sync workflows

Both workflows fire on pull_request, check out the repo, and run shell/python
diff scripts to validate that legacy and versioned base-OS files stay in sync.
Neither pushes or comments back to the PR - contents: read is the right scope.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/check_base_os.yml

@@ -21,6 +21,9 @@ on:
     paths:
       - 'projects/**'
 
+permissions:
+  contents: read
+
 jobs:
   check-consistency:
     runs-on: ubuntu-latest

.github/workflows/ubuntu_version_sync.yml

@@ -20,6 +20,9 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   check-sync:
     name: Ubuntu File Synchronization Check