ci: declare read-all permissions on the kubernetes and card-build test workflows

[arpitjain099]

Two test workflows currently don't declare a permissions: block, so they inherit whatever scope the repo's default grants the workflow GITHUB_TOKEN:

• .github/workflows/full-stack-test.yml -- spins up a local minikube stack via metaflow-dev all-up and runs a tutorial flow. No GitHub API calls.
• .github/workflows/test-card-build.yml -- npm ci && npm run build inside metaflow/plugins/cards/ui. No GitHub API calls.

permissions: read-all at workflow scope is the same shorthand test.yml already uses, so this patch keeps the style consistent. With explicit read-only scope:

• a future change to the repo's default workflow-token grant can't widen these workflows
• the SLSA / OpenSSF Scorecard Token-Permissions check goes green for these files
• if any of the third-party actions reachable from these workflows is ever compromised (cf. tj-actions/changed-files CVE-2025-30066), the blast radius stays inside read.

I left ux-tests.yml out on purpose. It runs dorny/test-reporter@d61b558..., which writes check runs (checks: write), and it caches pip via actions/cache. Both touch the permissions story in ways I'd rather pin down in a separate PR if you're interested.

[greptile-apps]

Greptile Summary

This PR adds permissions: read-all at the workflow scope to two GitHub Actions workflows that previously inherited the repository's default token permissions. The change aligns them with the existing test.yml style and limits the blast radius of any future supply-chain compromise affecting these workflows.

• full-stack-test.yml: Adds permissions: read-all before the jobs: block; no changes to the minikube/Kubernetes job steps.
• test-card-build.yml: Adds permissions: read-all before the jobs: block; no changes to the npm ci && npm run build steps.

Confidence Score: 5/5

Safe to merge — the only change is adding an explicit read-only token scope to two CI workflows, with no effect on job logic.

Both files receive a single, additive line that restricts the GITHUB_TOKEN to read-only permissions. Neither workflow makes GitHub API calls, so no existing functionality is broken. The placement is correct YAML for workflow-level permissions, and the value read-all matches the pattern already used in test.yml.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/full-stack-test.yml	Adds permissions: read-all at workflow scope, consistent with test.yml; no functional change to the job steps.
.github/workflows/test-card-build.yml	Adds permissions: read-all at workflow scope before the jobs block; no functional change to the npm ci / npm run build steps.

_{Reviews (1): Last reviewed commit: "ci: declare read-all permissions on the ..." | Re-trigger Greptile}