security: add explicit permissions to all workflow jobs

- Add least-privilege permissions to all GitHub Actions jobs
- Fixes 8 CodeQL security findings (actions/missing-workflow-permissions)
- Build jobs: contents:read, actions:write
- Release job: contents:write, actions:read
- Test job: contents:read, checks:write, actions:write
- Status jobs: no permissions needed
- Add wasm-tools-net8 workload installation for test workflow

Follows principle of least privilege and GitHub Actions security best practices.

.github/workflows/test.yml

@@ -24,6 +24,9 @@ jobs:
       with:
         dotnet-version: '8.0.x'
 
+    - name: Install WebAssembly Tools workload
+      run: dotnet workload install wasm-tools-net8
+
     - name: Restore dependencies
       run: dotnet restore tests/HihaArvio.Tests/HihaArvio.Tests.csproj /p:TargetFrameworks=net8.0