ci: declare contents: read for the bazel test workflow

The single job in this workflow checks out the repo and runs bazel test with
remote cache via Google service-account credentials (passed as the
GOOGLE_CREDENTIALS secret). It does not write to the repo or call GitHub
APIs for any write, so contents: read is the minimum GITHUB_TOKEN scope it
needs.

Author: arpitjain099

.github/workflows/bazel-test.yaml

@@ -7,6 +7,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}