transformers

bc7b4cf9 - chore(ci): set default workflow permissions to contents: read (#45961)

chore(ci): set default workflow permissions to contents: read (#45961) Add an explicit top-level `permissions:` block to every workflow that did not have one. The new default grants only `contents: read` so that the auto-generated `GITHUB_TOKEN` available to each job starts at the minimum needed to checkout the repo; jobs that need more (e.g. issue/PR comments, status updates, OIDC token, packages write) already declare their own job-level `permissions:` overrides which are preserved. Also tighten `pr-repo-consistency-bot.yml` and `self-comment-ci.yml` from `permissions: read-all` to `permissions: { contents: read }`. Zizmor 1.24.1: 116 `warning[excessive-permissions]` -> 0. Closes the matching CodeQL `actions/missing-workflow-permissions` alerts. Behavior: no change. Workflows that were implicitly relying on the default `GITHUB_TOKEN` write permissions (issue comments, statuses, deployments, ...) already had job-level overrides; this change only removes the implicit-write hammock for jobs that did not need it.