chore(ci): declare explicit permissions for read-default rollout

The generate.yaml workflow runs 'git push' using the default GITHUB_TOKEN
provided by actions/checkout. Once the org-wide flip to read-default
GITHUB_TOKEN lands, that push will fail unless the workflow explicitly
declares contents: write.

This narrows the token's effective scope (was implicit write-everything;
becomes read all + write contents) without changing happy-path behavior.

Author: zdenko-kovac

.github/workflows/generate.yaml

@@ -3,6 +3,9 @@ name: Update generated artifacts
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 defaults:
   run:
     shell: bash