ci(workflow): fix workflow permissions

[madflojo]

Potential fix for https://github.com/madflojo/testlazy/security/code-scanning/6

To fix the issue, we need to add a permissions block at the appropriate level in the workflow YAML file to restrict the default permissions of the GITHUB_TOKEN to the minimum required. Since none of the steps in the commitlint job require write access, we can safely set permissions: contents: read, either at the root (applies to all jobs), or under the job (commitlint:) (scoped to just this job). Best practice is usually to do this at the root unless there are jobs with differing requirements. We will add the following block after the name field, before the on field:

permissions:
  contents: read

No imports, definitions, or further code are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (7e7a872) to head (e20427e).

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #10   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            2         2           
  Lines          102       102           
=========================================
  Hits           102       102           

Flag	Coverage Δ
./helpers/counter-unittests	100.00% <ø> (ø)
./things/testurl-unittests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

This PR addresses a security vulnerability by restricting GitHub workflow permissions to follow the principle of least privilege. The changes add explicit permissions: contents: read blocks to three workflow files to limit the default GITHUB_TOKEN permissions.

• Adds minimal required permissions to workflow files instead of using default broad permissions
• Applies consistent security hardening across all three workflow files
• Addresses a specific security code scanning alert regarding excessive workflow permissions

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
.github/workflows/tests.yml	Adds read-only contents permission to test workflow
.github/workflows/lint.yml	Adds read-only contents permission to lint workflow
.github/workflows/commitlint.yml	Adds read-only contents permission to commit message linting workflow

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}