Add explicit permissions to GitHub workflows (#1715)

Fix code scanning alert about unlimited permissions by applying the
principle of least privilege to all workflow jobs. Each job now has
only the permissions it actually needs (contents: read for checkout
and build operations). The rules workflow gets empty permissions as
it only runs shell scripts without needing repository access.

Committed-By-Agent: claude