SECCMP-1797: Downgrade contents permission from write to read

The copyright-check reusable workflow only needs contents: read
to checkout code. contents: write was unnecessarily granting the
workflow token write access to repository contents, which expands
the blast radius of any PwnRequest-style attack.

The called workflow (copyright-check.yml) already declares its own
permissions block with contents: read.

Author: GAdityaVarma

.github/workflows/pr-workflow.yaml

@@ -18,6 +18,6 @@ jobs:
     name: © Validate Copyright Headers
     uses: marklogic/pr-workflows/.github/workflows/copyright-check.yml@main
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
       issues: write