ci: declare contents:read on Lint workflow (#2989)

The Lint workflow runs cpplint and pylint against the checked-out
tree. No cache, no GitHub API write. `permissions: contents: read`
captures that and matches the per-job permissions blocks already
used in deploy_nightly_docs.yml (pages:write + id-token:write) and
upload-ci-logs.yml (statuses:write).

build.yml is left out because it pulls mozilla-actions/sccache-action
(which writes to the Actions cache) and easimon/maximize-build-space.
A drive-by permissions block there would need actions:write for the
sccache save path, which deserves a separate look.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/lint.yml

@@ -11,6 +11,8 @@ concurrency:
   # Group by workflow name + PR number (for PRs) or ref (for branch/tag pushes)
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
+permissions:
+  contents: read
 jobs:
   pytorch_cpplint:
     name: 'PyTorch C++'