ci: smoke-test - grant packages:read so reusable discover_versions can run

The Smoke Test workflow ran on PR #400 head commit and concluded as
startup_failure with 0 jobs. That's GH Actions failing to validate the
workflow before any container spawns. Compared against every other
workflow that calls _discover-versions.yml (simple, cmdline,
multi-compiler, fips-ready, sanitizers, seed-src), smoke-test.yml is
the only one with a workflow-level 'permissions: contents: read' block.

The reusable _discover-versions.yml job declares
'permissions: { contents: read, packages: read }' for its oras login
ghcr.io step. Workflow-level permissions clamp every job including
reusable workflows, so the discover_versions job ended up with strictly
fewer permissions than it declared, which trips startup validation.

Grant packages:read at the workflow level so the reusable workflow's
declared permissions can be satisfied. Keep the explicit block instead
of removing it - the other working workflows just rely on the repo
default token, but smoke-test.yml should stay explicit since it's the
gate everything else waits on.

Author: aidangarske

.github/workflows/smoke-test.yml

@@ -22,8 +22,14 @@ concurrency:
   group: smoke-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+# _discover-versions.yml (the reusable workflow we call below) declares
+# permissions: { contents: read, packages: read } for its `oras login
+# ghcr.io` step. Workflow-level permissions clamp every job including
+# reusable workflows, so we must grant packages:read here or the
+# discover_versions job startup_failures before any container spawns.
 permissions:
   contents: read
+  packages: read
 
 jobs:
   discover_versions: