ci: add explicit least permissions to workflows

[shreemaan-abhishek]

Description

This PR explicitly defines the permissions block for several GitHub Actions workflows that were previously relying on the default (potentially permissive) settings.

By setting permissions: contents: read (and pull-requests: read where necessary), we ensure that the GITHUB_TOKEN used in these workflows follows the principle of least privilege. this acts as a security measure to limit the impact of a compromised workflow step.

With a compromised github token, a bad actor can:

• Push malicious code directly to the master branch.
• Create or delete releases and tags.
• Modify repository settings or secrets (if applicable).

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

[github-actions]

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.

[shreemaan-abhishek]

.

[Copilot]

Pull request overview

This PR tightens GitHub Actions security by explicitly setting GITHUB_TOKEN permissions in workflows that previously relied on repository defaults, applying least-privilege access (primarily contents: read, and pull-requests: read where PR metadata is needed).

Changes:

• Add explicit permissions: contents: read to multiple workflows to avoid implicitly permissive defaults.
• Add pull-requests: read to the PR title/semantic workflow to allow PR metadata access under pull_request_target.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
.github/workflows/semantic.yml	Adds explicit read-only token permissions, including PR read access for PR-title validation.
.github/workflows/push-dev-image-on-commit.yml	Adds explicit contents: read permissions for checkout/build workflow.
.github/workflows/license-checker.yml	Adds explicit contents: read permissions for license header checking workflow.
.github/workflows/check-changelog.yml	Adds explicit contents: read permissions for changelog verification workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[moonming]

Hi @shreemaan-abhishek, thank you for adding explicit least permissions to CI workflows!

This is a security best practice (principle of least privilege). I'll review the specific permission scopes in detail. The approach is correct — explicitly declaring minimum required permissions for each workflow. Please stand by for detailed review.