ci: declare contents:read on slack-alert workflow

slack-alert runs on workflow_run, which executes with the elevated
default-branch context (not the read-only pull_request context). The
job only posts to a Slack webhook via SLACK_WEBHOOK_URL; it never
calls the GitHub API. Pinning the workflow to contents:read makes the
minimum-scope contract explicit, matching release.yml and website.yml
which already declare permissions blocks.

tests.yml uses actions/cache and is therefore left for a separate
change to avoid muddling the cache-write semantics here.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/slack-alert.yml

@@ -5,6 +5,9 @@ on:
     workflows: [tests]
     types: [completed]
 
+permissions:
+  contents: read
+
 jobs:
   on-failure:
     runs-on: ubuntu-latest