SECCMP-1797: Harden permissions - add top-level read, fix contents: write

Adds top-level permissions: contents: read to restrict the default
GITHUB_TOKEN. Also fixes the previous contents: write on the
copyright-validation job to contents: read.

This follows the principle of least privilege recommended in
GitHub's PwnRequest security guidance.

Author: GAdityaVarma

.github/workflows/pr-workflow.yaml

@@ -1,23 +1,22 @@
 name: PR Workflow
 
 on:
-  # Using pull_request_target instead of pull_request to handle PRs from forks
   pull_request_target:
     types: [opened, edited, reopened, synchronize]
-    # No branch filtering - will run on all PRs
+
+permissions:
+  contents: read
 
 jobs:
   jira-pr-check:
     name: 🏷️ Validate JIRA ticket ID
-    # Use the reusable workflow from the central repository
     uses: marklogic/pr-workflows/.github/workflows/jira-id-check.yml@main
     with:
-      # Pass the PR title from the event context
       pr-title: ${{ github.event.pull_request.title }}
   copyright-validation:
     name: © Validate Copyright Headers
     uses: marklogic/pr-workflows/.github/workflows/copyright-check.yml@main
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
       issues: write