ci: declare workflow-level contents: read on go/python/java/typescript test workflows

[arpitjain099]

Four per-language test workflows (go_tests, python_tests, java_tests, typescript_tests) just run their language test suites. No GitHub API writes from the workflows themselves.

Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[ghost]

Checks are failing. Will not request review until checks are succeeding. If you'd like to override that behavior, comment assign set of reviewers

[arpitjain099]

Heads-up on the failing checks: beam_PreCommit_GHA and beam_PreCommit_RAT are both failing with the same enterprise-level error:

The action gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 is not allowed in apache/beam because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: [...]

That's an Apache enterprise Actions allowlist policy, not anything my PR changed. My diff only adds a permissions: contents: read block to four test workflows (no new uses: lines). The gradle/actions/setup-gradle reference is already present on master and would fail any PR right now.

Happy to close if the test-workflows are the wrong target, or to leave it for whenever the enterprise allowlist gets updated. Let me know.