Add least-privilege permissions to triage workflow

Add explicit permissions: block (pull-requests: write, issues: write) to
constrain GITHUB_TOKEN scope on pull_request_target trigger.

Ref: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/triage.yml

@@ -10,6 +10,10 @@ on:
       - opened
       - reopened
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   triage:
     uses: smallstep/workflows/.github/workflows/triage.yml@main