Backport workflow token permission hardening

Add explicit workflow-level contents: read permissions to the
current next branch CI and coverage workflows to match the
master security hardening without changing job behavior.

Author: evolve75

.github/workflows/coverage.yml

@@ -10,6 +10,8 @@
 
 name: Test Coveralls
 on: ["push", "pull_request"]
+permissions:
+  contents: read
 
 env:
   COVERAGE: true

.github/workflows/tests.yml

@@ -4,6 +4,8 @@
 
 name: Build and Test
 on: [push, pull_request]
+permissions:
+  contents: read
 jobs:
   test:
     continue-on-error: ${{ matrix.experimental }}