Set minimal GitHub token permissions for CI workflow

This adds explicit permissions block with contents:read to follow the
principle of least privilege. By default, GitHub Actions tokens have
broad write access to the repository, which poses unnecessary security
risks.

Author: jserv

.github/workflows/main.yml

@@ -2,6 +2,9 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   semu-linux:
     runs-on: ubuntu-24.04