ci: declare workflow-level contents: read on ci and build-swc

Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/build-swc.yml

@@ -6,6 +6,9 @@ on:
       - 'tools/*'
       - 'deps/*'
 
+permissions:
+  contents: read
+
 jobs:
   build-swc:
     runs-on: ubuntu-latest

.github/workflows/ci.yml

@@ -3,6 +3,9 @@ name: CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   commit-lint:
     name: Commit Lint