Add least-privilege permissions to build.yml workflow

[Copilot]

GitHub workflows without explicit permissions inherit the repository default, which may be write-all. The build.yml workflow was the only one missing an explicit permissions key.

Changes

• build.yml: Added permissions: contents: read at the workflow root — the minimum required for checkout, build, test, and artifact upload (which uses an internal runtime token, not GITHUB_TOKEN)

The other workflows already had appropriate permissions (validate-yaml.yml: contents: read, release.yml: contents: write).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add permissions to github workflows</issue_title>
<issue_description>Add the permissions key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own permissions key) and assign the least privileges required to complete the task.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add permissions to github workflows #391

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.