security: add explicit permissions to discover and aggregate-security jobs

**Security Issue:**
GitHub Code Scanning alerts #241 and #242 flagged missing explicit
permissions in full-build.yml workflow jobs.

**Risk:**
Without explicit permissions, GITHUB_TOKEN may receive overly broad
permissions by default, violating principle of least privilege.

**Fix:**
Added minimal permissions blocks to:
- discover job (line 30): contents: read
- aggregate-security job (line 582): contents: read

Both jobs only need read access to checkout code and read manifests.
No write permissions required.

**Resolves:**
- Code Scanning Alert #241 (discover job)
- Code Scanning Alert #242 (aggregate-security job)

Author: SckyzO

.github/workflows/full-build.yml

@@ -29,6 +29,8 @@ jobs:
   discover:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
     outputs:
       exporters: ${{ steps.detect.outputs.exporters }}
       build_needed: ${{ steps.detect.outputs.build_needed }}
@@ -584,6 +586,8 @@ jobs:
     if: always() && !cancelled() && needs.discover.outputs.build_needed == 'true'
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6