ci: pin GITHUB_TOKEN to contents:read in all workflows

[wyattjoh]

Summary

• Add top-level permissions: contents: read to ci.yml, build-binaries.yml, smoke-test.yml, and sign-macos.yml.
• Matches the pin already on release.yml and the job-level pin on enforce-changeset.yml.
• Closes 8 CodeQL actions/missing-workflow-permissions alerts.

Test plan

• CI runs green on this PR (workflows still only need read access to repo contents)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7bfbe2a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[wyattjoh]

Stack: security-codeql-fixes

• fix(pkce): use rejection sampling to remove modulo bias #171
• ci: pin GITHUB_TOKEN to contents:read in all workflows #172 👈 this PR
  • ci(smoke-test): pass workflow inputs through env vars #173

Part of a stacked PR chain. Do not merge manually.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5cbcf1ee-3f25-4b60-a777-8a2d7d9f09ce

📥 Commits

Reviewing files that changed from the base of the PR and between 8ac823f and 7bfbe2a.

📒 Files selected for processing (4)

• .github/workflows/build-binaries.yml
• .github/workflows/ci.yml
• .github/workflows/sign-macos.yml
• .github/workflows/smoke-test.yml

---

📝 Walkthrough

Walkthrough

This pull request adds a top-level permissions block to four GitHub Actions workflow files: build-binaries.yml, ci.yml, sign-macos.yml, and smoke-test.yml. Each workflow now declares contents: read permission, constraining the default GitHub token access to read-only for repository contents across all jobs and steps in each workflow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning GITHUB_TOKEN to contents:read across all workflow files.
Description check	✅ Passed	The description clearly relates to the changeset, detailing which workflows are modified, why (CodeQL alerts), and providing a test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}