🌱 harden git workflows

[PrashantR30]

Description

This PR hardens GitHub Actions workflows by disabling persisted Git credentials on checkout steps and explicitly scoping workflow permissions to the minimum required access.

The changes reduce the risk of unintended GITHUB_TOKEN exposure to later workflow steps while preserving existing CI behavior. Workflows that only read repository contents now use read-only permissions, while image publishing workflows keep the required package write permissions.

Checklist

• No secrets, sensitive information, or unrelated changes
• Lint checks passing (make lint)
• Generated assets in-sync (make validate-generated-assets)
• Go mod artifacts in-sync (make validate-modules)
• Test cases are added for new code paths

Testing

Validated the workflow YAML changes manually.
No application code was changed. This PR only updates GitHub Actions workflow configuration for credential and permission hardening, but still we let the test run to validate if the workflow operation works.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[rahulait]

Thanks @PrashantR30 for this change. Is there a specific reason why a subset of workflows were updated? For example, coverage.yaml, release-images-list.yaml, etc were not touched.