ci: declare per-job contents: read on the three sonar-* workflows (#158)

sonar-bulk-operations / sonar-create-project / sonar-delete-project are
manual (workflow_dispatch) admin actions that checkout the repo and run
.github/scripts/sonar-manager.sh with a SONAR_TOKEN. Default GITHUB_TOKEN
is only used for the checkout step. Matches the per-job permissions style
already used by ci.yml / ci-test-go.yml / ci-lint-go.yml in this repo.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/sonar-bulk-operations.yml

@@ -13,6 +13,8 @@ on:
 
 jobs:
   bulk-operation:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/sonar-create-project.yml

@@ -10,6 +10,8 @@ on:
 
 jobs:
   create-project:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/sonar-delete-project.yml

@@ -10,6 +10,8 @@ on:
 
 jobs:
   delete-project:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2