ci: fix excessive GitHub workflow token permissions

## Summary

The OpenSSF Scorecard `Token-Permissions` check flags GitHub Actions workflows in this repository that do not restrict the default `GITHUB_TOKEN` permissions.

## Scorecard Warning

```
Warn: no topLevel permission defined: .github/workflows/antithesis-verify.yml:1
```

## Proposed Fix

Add `permissions: contents: read` at the workflow level in `antithesis-verify.yml`. This follows the principle of least privilege and restricts the token to only reading repository contents.

## Impact

- Improves the OpenSSF Scorecard `Token-Permissions` score
- Follows security best practices by applying the principle of least privilege to CI/CD tokens
- No functional impact — the workflow only checks out code and runs Docker builds locally

## References

- [OpenSSF Scorecard Token-Permissions check](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions)
- [GitHub Actions: Setting permissions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: fix excessive GitHub workflow token permissions #21469

Summary

Scorecard Warning

Proposed Fix

Impact

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

ci: fix excessive GitHub workflow token permissions #21469

Description

Summary

Scorecard Warning

Proposed Fix

Impact

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions