permissions sweep on simple workflows (#995)

Add top-level `permissions: {}` (default deny) to:
- run-precommit.yml (also adds contents:read to the only job)
- stale.yml (existing job-level perms unchanged)
- assign-devin-prs.yml (existing job-level perms unchanged)

Author: GuyEshdat

.github/workflows/assign-devin-prs.yml

@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened]
 
+permissions: {}
+
 jobs:
   assign:
     if: github.actor == 'devin-ai-integration[bot]'

.github/workflows/run-precommit.yml

@@ -3,9 +3,13 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions: {}
+
 jobs:
   code-quality:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout Elementary
         uses: actions/checkout@v6

.github/workflows/stale.yml

@@ -3,6 +3,8 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions: {}
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest