chore(ci): add top-level permissions: read-all to workflows (RAN-46 AC) (#90)

Closes one of the audit gaps from RAN-46 AC #2 ("Workflow permissions:
default to read-all, scoped up per job") + Scorecard Token-Permissions
finding.

Before:
- ci-java.yml had no permissions declaration anywhere — relied on
  repo-default GITHUB_TOKEN scope (which can be write-all on older repos).
- beta-java.yml + release-java.yml only had job-level scopes; missing the
  explicit top-level read-all that Scorecard checks for.

After:
- All three workflows declare `permissions: read-all` at the top level.
- ci-java.yml's build job now declares `contents: read` explicitly
  (no other scopes needed — Sonar uses SONAR_TOKEN, not GITHUB_TOKEN).
- beta-java.yml and release-java.yml keep their existing job-level
  `contents: write` (and `packages: write` for beta) which override the
  top-level for the deploy/tag steps.

Audit confirmation (orthogonal to the (A)/(B) security-stack ruling
still pending on RAN-46):
- All `uses:` SHA-pinned across all 4 workflows (Pinned-Dependencies)
- No pull_request_target anywhere (Dangerous-Workflow)
- scorecard.yml already had `permissions: read-all` at top level

Author: aksOps

.github/workflows/beta-java.yml

@@ -2,6 +2,8 @@ name: Beta Release (Java)
 on:
   workflow_dispatch:    # Manual trigger ONLY
 
+permissions: read-all
+
 jobs:
   beta:
     runs-on: ubuntu-latest

.github/workflows/ci-java.yml

@@ -6,9 +6,13 @@ on:
   pull_request:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
         with:

.github/workflows/release-java.yml

@@ -6,6 +6,8 @@ on:
         description: 'Release version (e.g., 0.1.0)'
         required: true
 
+permissions: read-all
+
 jobs:
   release:
     runs-on: ubuntu-latest