Add explicit permissions blocks to caller workflow templates

[mtfishman]

Summary

Adds explicit permissions: blocks to each of the workflow templates that callers consume. Previously most templates declared no permissions: block at all, so the resulting per-repo workflow files inherited their GITHUB_TOKEN ceiling from whatever the consuming repo's Actions default happened to be (currently default_workflow_permissions: write org-wide).

After this change, every workflow declares its own minimum ceiling in the YAML. Any future change to the org or per-repo Actions default can only narrow (never widen) what these workflows can do — the security posture lives in code review (the YAML diff) rather than in admin clicks.

Per-workflow permissions

The minimum each workflow actually needs:

• Tests, FormatCheck, CheckCompatBounds: contents: read (checkout-only).
• VersionCheck: contents: read, pull-requests: read (reads the PR's changed-file list to decide whether a version bump is required).
• IntegrationTest: actions: read, contents: read (the gate job inspects matrix-leg results via the Actions API).
• Documentation: contents: write (gh-pages deploy).
• TagBot: contents: write, issues: read (creates the release tag, reads PR/issue refs for release notes).

Already-permissioned templates (CompatHelper, FormatPullRequest, IntegrationTestRequest, Registrator) were left unchanged. FormatCheckComment was normalized from a job-level block to a workflow-level block so all caller files follow the same shape.

How it was verified

End-to-end on ITensor/SparseArraysBase.jl (PR #176) with that repo's per-repo Actions setting temporarily flipped to default_workflow_permissions: read and can_approve_pull_request_reviews: false — the same end state planned for the org defaults later. Without these blocks, three workflows fail to start with errors like "The nested job 'tests' is requesting 'contents: write', but is only allowed 'contents: read'". With the blocks in place, all workflows pass under the read-only ceiling.

Impact for downstream consumers

No behavior change. Each workflow continues to do exactly what it did before. After this lands, packages that re-render their workflows from the templates pick up the new permissions blocks; MassApplyPatch will propagate the same shape across the rest of the ecosystem in a follow-up sweep.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.34%. Comparing base (12ad8fe) to head (8355665).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #136   +/-   ##
=======================================
  Coverage   87.34%   87.34%           
=======================================
  Files           1        1           
  Lines         158      158           
=======================================
  Hits          138      138           
  Misses         20       20           

Flag	Coverage Δ
docs	60.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.