fix(ci): add least-privilege permissions to workflow files

[waveywaves]

Summary

• Add top-level permissions blocks to workflow files following the two-tier permission pattern recommended by OpenSSF Scorecard
• stale.yml: added permissions: {} at workflow level (job-level issues: write + pull-requests: write already correct)
• build_external_container_images.yaml: moved packages: write from workflow level to job level; set workflow level to permissions: { contents: read }
• codeql.yml: removed id-token: write from workflow level (kept contents: read); job level already has id-token: write
• scm_configuration_check.yaml: already had permissions: read-all at workflow level, no change needed

Issue Item Checklist

#	File	Issue Finding	Disposition
1	stale.yml	No top-level permissions	Fixed: added permissions: {} at workflow level
2	scm_configuration_check.yaml	No top-level permissions	Already correct: had permissions: read-all at workflow level before this PR
3	build_external_container_images.yaml	packages: write at workflow level	Fixed: moved packages: write to job level, set workflow level to permissions: { contents: read }
4	release.yaml (issue says github_release.yaml)	Job-level packages: write + contents: write	No change: legitimate for release workflows; already at job level which is the correct tier
5	package_chart.yaml	Job-level packages: write	No change: legitimate for chart publishing; already at job level which is the correct tier
bonus	codeql.yml	id-token: write at workflow level	Fixed: removed from workflow level; job already declares id-token: write

Test Plan

• Verify stale.yml workflow runs correctly (cron or manual dispatch) with the new top-level permissions: {}
• Verify build_external_container_images.yaml workflow can still build and push container images with packages: write now at job level
• Verify codeql.yml workflow still generates SLSA provenance with id-token: write only at job level
• Re-run the OpenSSF Scorecard to confirm the token-permissions score improves

Fixes #2841