ci: declare minimal permissions on sync-to-gitlab workflow

Adds explicit permissions: contents: read at workflow level. The
workflow only needs read access to check out the repo; the GitLab
push uses GITLAB_TOKEN (a repo secret), not GITHUB_TOKEN.

Resolves CodeQL alert: actions/missing-workflow-permissions

Author: GitHubNewbie0

.github/workflows/sync-to-gitlab.yml

@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     runs-on: ubuntu-latest