refactor(ci): centralize workflow permissions

Consolidates all job-level permissions into a single workflow-level block in 'ci.yml'.

This simplifies the workflow configuration and makes it easier to manage permissions. The workflow-level permissions now include all necessary permissions for the 'test_linux', 'test_mac', 'codeql', and 'bundle_size' jobs.

.github/workflows/ci.yml

@@ -18,6 +18,9 @@ permissions:
   contents: 'read'
   statuses: 'write'
   packages: 'read'
+  pull-requests: 'write'
+  actions: 'read'
+  security-events: 'write'
 
 defaults:
   run:
@@ -27,10 +30,6 @@ jobs:
   test_linux:
     name: 'Test (Linux)'
     runs-on: 'gemini-cli-ubuntu-16-core'
-    permissions:
-      contents: 'read'
-      checks: 'write'
-      pull-requests: 'write'
     strategy:
       matrix:
         node-version:
@@ -87,10 +86,6 @@ jobs:
   test_mac:
     name: 'Test (Mac)'
     runs-on: '${{ matrix.os }}'
-    permissions:
-      contents: 'read'
-      checks: 'write'
-      pull-requests: 'write'
     continue-on-error: true
     strategy:
       matrix:
@@ -158,10 +153,6 @@ jobs:
   codeql:
     name: 'CodeQL'
     runs-on: 'gemini-cli-ubuntu-16-core'
-    permissions:
-      actions: 'read'
-      contents: 'read'
-      security-events: 'write'
     steps:
       - name: 'Checkout'
         uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
@@ -181,9 +172,6 @@ jobs:
     name: 'Check Bundle Size'
     if: "${{github.event_name == 'pull_request'}}"
     runs-on: 'gemini-cli-ubuntu-16-core'
-    permissions:
-      contents: 'read' # For checkout
-      pull-requests: 'write' # For commenting
 
     steps:
       - name: 'Checkout'