Add top level permissions to workflows

[truggeri]

What are you trying to accomplish?

There are open code scanning alerts related to "Token-Permissions" where there's not a top level permissions block in some workflows in this repo. This was fixed for a single workflow in #14479.

How will you know you've accomplished your goal?

We will be successful when all the code scanning alerts close.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

This PR addresses Code Scanning “Token-Permissions” alerts by adding explicit top-level permissions blocks to GitHub Actions workflows and then scoping per-job permissions to the minimum needed.

Changes:

• Add top-level permissions: {} to multiple workflows to avoid relying on implicit defaults.
• Add/adjust job-level permissions (e.g., contents: read, actions: read, security-events: write) where required.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/smoke.yml	Adds permissions blocks (but current placement makes permissions part of env, which is incorrect).
.github/workflows/images-updater-core.yml	Adds top-level permissions: {}; job already sets required write scopes for GHCR/cosign.
.github/workflows/images-branch.yml	Adds top-level permissions: {} and tightens job permissions for approval job.
.github/workflows/gems-release-to-rubygems.yml	Adds top-level permissions: {}; job keeps needed id-token: write.
.github/workflows/gems-bump-version.yml	Adds top-level permissions: {} and sets minimal job permissions.
.github/workflows/copilot-setup-steps.yml	Adds top-level permissions: {}; job remains contents: read.
.github/workflows/codeql-analysis.yml	Adds top-level permissions: {}; job keeps security-events: write.
.github/workflows/ci.yml	Adds top-level permissions: {} and ensures each job has contents: read.
.github/workflows/check-sorbet-typing-mode.yml	Adds top-level permissions: {}; job remains contents: read.

[Copilot]

permissions: {} is indented under env: which makes it an environment variable entry rather than the workflow-level permissions block. This likely breaks the workflow syntax (env values must be strings) and also won’t address the Token-Permissions alert. Move permissions: {} out to the top level (same indentation as env:/jobs:).

Suggested change

	SMOKE_TEST_BRANCH: ${{ vars.SMOKE_TEST_BRANCH || 'main' }}
	SMOKE_TEST_BRANCH: ${{ vars.SMOKE_TEST_BRANCH || 'main' }}

[truggeri]

I don't think that's right