ci: restrict GITHUB_TOKEN to read-only in core CI workflows

[Rohan5commit]

Summary

• add explicit top-level workflow permissions:
  • permissions: { contents: read }
• apply to core read-only CI workflows:
  • .github/workflows/build.yml
  • .github/workflows/build_and_test.yml
  • .github/workflows/buildifier.yml
  • .github/workflows/ast-grep.yml
  • .github/workflows/changelog-requirement.yml
  • .github/workflows/changelog-validation.yml
  • .github/workflows/copyright-check.yml

Why

These workflows currently rely on repository-default GITHUB_TOKEN scope. Explicit read-only defaults reduce blast radius from compromised workflow code/actions and move toward least-privilege guidance.

Relates to #14778.

Notes

• This PR intentionally targets core CI/lint/read-only workflows first.
• Release/automation workflows with write needs are left unchanged in this patch.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}