This PR addresses CodeQL warnings about missing workflow permissions by adding explicit permissions sections to all GitHub Actions workflows in the repository.

Problem

CodeQL was generating warnings for workflows that didn't have explicit permissions defined, as they were using default permissions which can be overly broad and don't follow the principle of least privilege.

Solution

Added permissions: contents: read to all workflow files, which provides the minimal required permissions for workflows that need to checkout code and run builds/tests.

Changes Made

Generated Workflows (via yml tool):

• Updated workflow generators in crates/tools/yml/src/:
  • test.rs - generates test.yml
  • clippy.rs - generates clippy.yml
  • msrv.rs - generates msrv.yml
  • no_default_features.rs - generates no-default-features.yml
• Regenerated corresponding YAML files with permissions

Manual Workflows:

• Added permissions to manually maintained workflows:
  • fmt.yml, lib.yml, gen.yml, no_std.yml
  • slim_errors.yml, linux.yml, miri.yml
  • doc.yml, cross.yml

Existing workflows (stale.yml, web.yml) already had appropriate permissions defined.

Result

• All 15 workflow files now have explicit permissions defined
• Follows principle of least privilege with minimal contents: read permission
• Maintains existing functionality while addressing security best practices
• Generated files remain consistent with the repository's workflow generation system

The changes are minimal and surgical - adding only 3 lines per workflow file while maintaining all existing functionality.

Fixes #3647.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.