fix(security): add explicit workflow permissions

[cl-efornaciari]

Summary

Adds explicit permissions blocks to all workflow YAML files to resolve CodeQL actions/missing-workflow-permissions alerts (~12 alerts).

Changes

• Read-only workflows: Added permissions: { contents: read } to static-analysis, sonar-scan, lint, relayer, integration_gauntlet, integration-tests-soak, integration-tests-smoke, integration-tests-publish, monitoring-build-push-ecr, golangci-lint, examples, contracts
• Release workflows: Added workflow-level contents: read and job-level contents: write for starknet-relayer and starknet-gauntlet-cli release workflows
• Changesets: Added contents: write, pull-requests: write, actions: write (required for creating release PRs and dispatching workflows)

Scope

Workflow-only changes. Code alerts are handled in a separate PR.

Made with Cursor

[github-actions]

👋 cl-efornaciari, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[chainchad]

Nit but you could add:

permissions: {}

At the top-level and then set each jobs permissions with exactly what it needs including contents: read

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[github-actions]

This PR is stale because it has been open 30 days with no activity.
Remove the stale label or comment or this will be closed in 7 days.

[github-actions]

This PR has been automatically closed because it has been stale for > 30 days.
If you wish to continue working on this PR, please reopen it and make any necessary changes.