Explicitly set permissions on all GitHub Actions workflows

[chris-rock]

Summary

• Adds explicit permissions blocks to all workflows that were missing them, following the principle of least privilege
• Removes the GitHubSecurityLab/actions-permissions/monitor step from lint.yaml since it has served its purpose
• Workflows that already had job-level permissions (e.g. publish.yaml) now also have a restrictive top-level default

Workflows updated

Workflow	Permissions
lint.yaml	contents: read
link-check.yaml	contents: read
leftover-spaces-cleaner.yaml	contents: read
cla.yaml	contents: read, pull-requests: write, issues: write, actions: read
publish-images.yaml	contents: read
edge-integration-tests.yaml	contents: read
cloud-tests.yaml	contents: read, checks: write
release-manifests.yaml	contents: write
publish.yaml	contents: read (top-level default; jobs escalate individually)

Closes #843

Test plan

• Verify lint workflow passes (only needs checkout + linter)
• Verify CLA bot can still comment on PRs
• Verify publish workflow can still push images and create releases
• Verify cloud-tests can still publish test results

🤖 Generated with Claude Code

[github-actions]

Test Results

  5 files  ±0   41 suites  ±0   34m 26s ⏱️ + 1m 19s
301 tests ±0  301 ✅ ±0  0 💤 ±0  0 ❌ ±0 
320 runs  ±0  318 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit 1735c77. ± Comparison against base commit feff81f.