fix: add explicit permissions to workflow jobs (CodeQL)

Adds `permissions: contents: read` to both validate-hacs and
validate-hassfest jobs. GitHub's default GITHUB_TOKEN permissions are
broad; declaring minimal permissions follows least-privilege and
resolves the CodeQL actions/missing-workflow-permissions medium alerts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: chrisdpurcell

.github/workflows/validate.yml

@@ -13,6 +13,8 @@ jobs:
   validate-hacs:
     name: HACS Validation
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: HACS Validation
@@ -23,6 +25,8 @@ jobs:
   validate-hassfest:
     name: Hassfest Validation
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Hassfest Validation