Add explicit permissions blocks to caller workflow files

[mtfishman]

Summary

Adds explicit permissions: blocks to the workflow files that call ITensorActions reusable workflows.

Most of these files previously declared no permissions: block and inherited their GITHUB_TOKEN ceiling from the repository / organization Actions defaults. After this change, each workflow's permissions live in the YAML rather than in a settings page, and any future change to the org or per-repo Actions default can only narrow (never widen) what these workflows can do.

Each block declares the minimum the workflow actually needs (contents: read for checkout-only workflows; elevated for Documentation gh-pages deploy, TagBot tag creation, IntegrationTest's gate job, and VersionCheck's PR-file lookup).

Verified by temporarily flipping this repo's per-repo Actions setting to default_workflow_permissions: read and can_approve_pull_request_reviews: false — the planned org-default end state. All workflows pass.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.68%. Comparing base (3c6df30) to head (4477dc2).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #176   +/-   ##
=======================================
  Coverage   78.68%   78.68%           
=======================================
  Files          12       12           
  Lines         793      793           
=======================================
  Hits          624      624           
  Misses        169      169           

Flag	Coverage Δ
docs	30.20% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.