gha: set default permissions to "contents: read"

[thaJeztah]

make the OpenSSF scorecard slightly happier; https://securityscorecards.dev/viewer/?uri=github.com/docker/buildx

Warn: no topLevel permission defined: .github/workflows/build.yml:1
Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql.yml:13
Warn: no topLevel permission defined: .github/workflows/docs-release.yml:1
Warn: no topLevel permission defined: .github/workflows/docs-upstream.yml:1
Warn: no topLevel permission defined: .github/workflows/e2e.yml:1
Warn: no topLevel permission defined: .github/workflows/labeler.yml:1
Warn: no topLevel permission defined: .github/workflows/validate.yml:1

[crazy-max]

Arg forgot we need write permissions to create GitHub Release https://github.com/docker/buildx/actions/runs/11564225311/job/32190889376#step:7:23

[thaJeztah]

Oops, sorry for that! At least it's good to learn "this is where we actually need permissions" 😅