fix(ci): replace read-all with specific permissions in workflows

Replace overly broad `permissions: read-all` with minimal
`contents: read` at workflow level in pr-lint.yml and sync-labels.yml.
Job-level permissions already declare specific needs.

.github/workflows/pr-lint.yml

@@ -10,7 +10,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions:
+  contents: read
 
 env:
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/sync-labels.yml

@@ -20,7 +20,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   labels: