[FLINK-34332][ci] Follow the principle of least privilege for GITHUB_TOKEN

[Kaixuan-Duan]

What is the purpose of the change

This pull request limits the scope of GITHUB_TOKEN permissions in GitHub Actions workflows
and documents why each permission is needed, as requested in FLINK-34332.

Previously, several workflows used permissions: read-all, which grants broader read access
than necessary. This change replaces read-all with the more restrictive contents: read
wherever possible, and adds comments explaining the purpose of each permission.

Brief change log

• Replaced permissions: read-all with contents: read in ci.yml, nightly.yml,
  template.flink-ci.yml, and template.pre-compile-checks.yml
• Added permissions: contents: read to docs.yml and docs-legacy.yml (previously
  relying on default, potentially broader permissions)
• Added permissions: {} at workflow level in nightly-trigger.yml, keeping
  actions: write only at the job level with documented reason
• Added inline comments documenting why each permission is required in stale.yml
  and community-review.yml

Verifying this change

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): (no)
• The public API, i.e., is any changed class annotated with @Public(Evolving): (no)
• The serializers: (no)
• The runtime per-record code paths (performance sensitive): (no)
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (no)
• The S3 file system connector: (no)

Documentation

• Does this pull request introduce a new feature? (no)
• If yes, how is the feature documented? (not applicable)

---

Was generative AI tooling used to co-author this PR?

• Yes (please specify the tool below)

[flinkbot]

CI report:

• 6defa8b Azure: SUCCESS

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run azure re-run the last Azure build

[snuyanzin]

can you share a link to GHA passing for this commit?

[Kaixuan-Duan]

Hi, @snuyanzin
Here are the GitHub Actions passing links that validate the permission changes in commit be7f77e:
1.Flink CI (beta): https://github.com/Kaixuan-Duan/flink/actions/runs/26056260237
2.Nightly (beta): https://github.com/Kaixuan-Duan/flink/actions/runs/26056260295
3.Test Permissions (FLINK-34332): https://github.com/Kaixuan-Duan/flink/actions/runs/26056260260
The 2 failing jobs (Java 11 compile issue with presto-hive dependency, and REST API doc sync issue) are unrelated to permission changes as they involve Java version compatibility and documentation generation - not GitHub Actions permissions

[Au-Miner]

Hi @Kaixuan-Duan , thanks for promoting this PR and let me leave some comments followed.

[Au-Miner]

Need double check if community-review.sh requires action: write permission. From my understanding, only read-only PR query and issue API permissions are needed

[Au-Miner]

Could you explain why it is necessary to manage the execution state

[Kaixuan-Duan]

Hi @Au-Miner , thanks for the reviews! I've removed the unnecessary actions: write permission. The remaining issues: write and pull-requests: write are required for creating repository-level labels and adding/removing labels on PRs respectively. docs
Note: PR labels are technically managed via the Issues API, but pull-requests: write is explicitly documented as permitting "an action to add a label to a pull request." We keep both for clarity and least privilege.