ci: add explicit GITHUB_TOKEN permissions in workflows

Semgrep rule temporal.security.gha.missing-explicit-permissions: set least-privilege permissions blocks.

Author: mjameswh

.github/workflows/heavy.yml

@@ -6,6 +6,9 @@ on: # rebuild any PRs and main branch changes
     branches:
       - master
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true