fix(ci): restrict GITHUB_TOKEN permissions in workflows (#24785)

* fix(ci): restrict GITHUB_TOKEN permissions in workflows

Apply principle of least privilege to workflow permissions to address 6 Token-Permissions security alerts. Changes include adding explicit contents: read, downgrading packages: write to packages: read where only image pulls are needed, and moving elevated permissions from workflow to job level where appropriate.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* manual fix of .github/workflows/ci-integration-review.yml

* manually fix statuses in .github/workflows/ci-integration-review.yml

* remove redundant line from .github/workflows/cla.yml

* manually fix .github/workflows/integration.yml

* attempt to fix .github/workflows/integration.yml

* attempt to fix ci-integration-review.yml

---------

Co-authored-by: Claude <noreply@anthropic.com>