ci: enforce least-privilege permissions and update workflows (#188)

* ci: add permissions: {} to CI workflow with job-level contents: read

* ci: enforce least-privilege permissions in security workflow

* ci: enforce least-privilege permissions in commitlint workflow

* ci: enforce least-privilege permissions in pr-lint workflow and update actions

* ci: enforce least-privilege permissions in stale workflow and update actions

* ci: enforce least-privilege permissions in sync-labels workflow and update actions

* ci: enforce least-privilege permissions in release workflow and update actions

* chore(actions): update ivuorinen/actions/codeql-analysis (v2026.03.06 → v2026.03.09)

* chore(deps): update testdata composite action dependencies

.github/workflows/security.yml

@@ -12,6 +12,8 @@ on:
     - cron: "0 2 * * 0"
   merge_group:
 
+permissions: {}
+
 jobs:
   # Comprehensive security coverage:
   # - govulncheck: Go-specific vulnerability scanning
@@ -45,7 +47,7 @@ jobs:
     name: Trivy Security Scan
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write # needed for Dependency Submission API (SBOM)
       security-events: write
     steps:
       - name: Checkout repository