security: add explicit permissions to all workflow jobs

- Add least-privilege permissions to all GitHub Actions jobs
- Fixes 8 CodeQL security findings (actions/missing-workflow-permissions)
- Build jobs: contents:read, actions:write
- Release job: contents:write, actions:read
- Test job: contents:read, checks:write, actions:write
- Status jobs: no permissions needed

Follows principle of least privilege and GitHub Actions security best practices.

.github/workflows/build.yml

@@ -11,6 +11,9 @@ jobs:
   build-ios:
     name: Build iOS
     runs-on: macos-latest
+    permissions:
+      contents: read
+      actions: write
 
     steps:
     - name: Checkout code
@@ -39,6 +42,9 @@ jobs:
   build-maccatalyst:
     name: Build macOS Catalyst
     runs-on: macos-latest
+    permissions:
+      contents: read
+      actions: write
 
     steps:
     - name: Checkout code
@@ -69,6 +75,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build-ios, build-maccatalyst]
     if: always()
+    permissions: {}
 
     steps:
     - name: Check build status