VLN-493: Set explicit permissions for GitHub Actions workflows

[picatz]

Summary

• .github/workflows/lint.yml: Granted the workflow GITHUB_TOKEN read-only access to repository contents to support checkout while following least-privilege guidance.
• .github/workflows/docker-build-only.yml: Replaced broad read-all token scope with explicit contents read and actions write permissions needed for checkout and artifact upload in the reusable build workflow.
• .github/workflows/docker.yml: Augmented the existing permission set with actions write so the build job can upload artifacts while maintaining other required scopes.
• .github/workflows/features-integration.yml: Scoped the workflow token to contents read and actions write so the reusable build job can upload artifacts without unnecessary additional privileges.
• .github/workflows/release-admin-tools.yml: Limited the workflow token to repository contents read access since the release job only needs checkout capability.
• .github/workflows/release-all-base-image.yml: Restricted the workflow token to contents read access, which is sufficient for building and pushing Docker images.
• .github/workflows/release-base-image.yml: Set the workflow token to contents read to support repository checkout while avoiding broader defaults.
• .github/workflows/release-temporal.yml: Configured the workflow token for contents read only, matching the checkout requirements of the release automation.