Harden CI workflow per zizmor

- Add top-level 'permissions: contents: read' (fixes excessive-permissions)
- Set 'persist-credentials: false' on actions/checkout (fixes artipacked)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: williammartin

.github/workflows/push.yml

@@ -1,6 +1,10 @@
 on: [push, pull_request]
 
 name: CI
+
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -13,6 +17,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Setup go
         uses: actions/setup-go@v6
         with: