chore(ci): add permissions to workflow files

[devin-ai-integration]

chore(ci): add permissions to workflow files

Summary

Added explicit permissions: contents: read declarations to GitHub Actions workflow files to follow security best practices. This change makes the minimum required permissions explicit rather than relying on default permissions, implementing the principle of least privilege.

Changes:

• Added permissions: contents: read to .github/workflows/add-asana-comment.yml
• Added permissions: contents: read to .github/workflows/ci.yml

Both additions are placed at the top level of the workflow, after the on: trigger section and before the jobs: section.

Review & Testing Checklist for Human

• Verify that CI checks pass successfully
• Confirm the Asana workflow still functions correctly (creates comments on new PRs)
• Double-check that no workflows require additional permissions (e.g., pull-requests: write, issues: write, etc.)

Notes

This is a security hardening change being applied across multiple repositories in the freckle organization. The contents: read permission is the minimum required for most read-only CI workflows.

If any workflow fails due to insufficient permissions after this change, we may need to add additional specific permissions (e.g., pull-requests: write for the Asana comment workflow if it needs to create PR comments).

Link to Devin run: https://app.devin.ai/sessions/8be07b97ddec449cb5b2a86c82f8a57d
Requested by: joris.buchou@renaissance.com (@joris974)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring