Add least-privilege permissions to triage workflow

Add explicit permissions: block (pull-requests: write, issues: write) to
constrain GITHUB_TOKEN scope on pull_request_target trigger.

Ref: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/triage.yml

@@ -8,6 +8,10 @@ on:
     types:
       - opened
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
 
   label: