Declare workflow-level permissions for CI and TODO-to-Issue

[arpitjain099]

Note: .github/ is in this repos .gitignore, so this commit uses git add -f` to override the ignore for these workflow files. I assume the gitignore entry is incidental rather than deliberate — happy to update the gitignore in this PR if maintainers prefer.

Two workflows declared no permissions: block:

• ci.yml — gradle assembleDebug + lint + unit tests. contents: read covers checkout.
• todo-to-issue.yml — uses alstr/todo-to-issue-action to find TODO comments in a PR, create issues for them, rewrite the TODOs inline with the new issue URLs, and git push those rewrites back. Needs:
  • contents: write — the inline rewrite + git push origin "$HEAD_REF" step
  • issues: write — the action creates issues via the Issues API

The job is gated on github.event.pull_request.head.repo.full_name == github.repository, so it never runs on fork PRs.

test-e2e.yml and e2e-dispatch.yml in this repo already use the explicit-permissions convention.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.01%. Comparing base (8485e39) to head (a7deba1).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3734      +/-   ##
============================================
+ Coverage     67.99%   68.01%   +0.02%     
- Complexity     1612     1613       +1     
============================================
  Files           370      370              
  Lines          9563     9563              
  Branches       1248     1248              
============================================
+ Hits           6502     6504       +2     
+ Misses         2382     2381       -1     
+ Partials        679      678       -1     

see 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.