chore(ci): add explicit least-privilege workflow permissions (#573)

Added explicit permissions blocks to GitHub Actions workflows to satisfy
CodeQL actions/missing-workflow-permissions. (See the [Security tab on
Github](https://github.com/apache/iceberg-cpp/security/code-scanning))
Defaulted workflows to `contents: read`.

Author: kevinjqliu

.github/workflows/codeql.yml

@@ -29,11 +29,15 @@ on:
   schedule:
     - cron: '16 4 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze Actions
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
       packages: read
 

.github/workflows/license_check.yml

@@ -19,6 +19,9 @@ name: "Run License Check"
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     name: "License Check"

.github/workflows/pre-commit.yml

@@ -24,6 +24,9 @@ on:
       - '**'
       - '!dependabot/**'
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-24.04