ci: add least-privilege permissions and pin softprops/action-gh-release

Resolves the 5 open CodeQL alerts on the repository:
- Add explicit `permissions:` blocks to all workflow jobs (contents:
  read for build/test/publish-pypi; contents: write for the GitHub
  release job that creates releases).
- Pin softprops/action-gh-release@v1 to its commit SHA.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ackizilkale

.github/workflows/publish.yml

@@ -11,6 +11,8 @@ on:
 jobs:
   publish-pypi:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -32,10 +34,12 @@ jobs:
     needs: publish-pypi
     name: Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           name: Release ${{ github.ref_name }}
           draft: false

.github/workflows/run_annotation_tests.yml

@@ -13,6 +13,8 @@ jobs:
   annotation-tests:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:

.github/workflows/run_tests.yml

@@ -12,6 +12,8 @@ jobs:
   build:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: