fix: add explicit permissions to GitHub Actions workflows

[flobernd]

InfoSec is changing GITHUB_TOKEN default permissions from read/write to read-only on July 15th. This PR adds explicit permissions blocks to workflows that require write access.

Changes

Workflow	Fix applied
auto-pr.yml	Added contents: write, pull-requests: write, issues: read — delegates to reusable workflow that creates PRs
codeql.yml	Added permissions: {} at top level — job-level security-events: write already present, top-level deny-all is best practice
docs-preview-cleanup.yml	Added permissions: {} at top level — job-level permissions already scoped correctly
regenerate-notice.yml	Added permissions: {} at top level — job-level contents: write already present for git push
resolve-conflicts.yml	Added contents: write, pull-requests: write, issues: read — delegates to reusable workflow that resolves backport conflicts

References

• https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5		0	0	0.24s
✅ COPYPASTE	jscpd	yes		no	no	10.74s
✅ REPOSITORY	gitleaks	yes		no	no	59.68s
✅ REPOSITORY	git_diff	yes		no	no	0.61s
✅ REPOSITORY	secretlint	yes		no	no	30.9s
✅ REPOSITORY	trivy	yes		no	no	18.58s
✅ YAML	yamllint	5		0	0	0.92s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository