ci(create-release-branch): pin contents: read

actions-create-release-branch uses secrets.ELEVATED_GITHUB_TOKEN for
the actual push, so the default GITHUB_TOKEN can stay scoped to
read-only. Matches the top-level pattern in acceptance-test.yml,
backport.yml, issue-comment-created.yml, etc.

.github/workflows/create-release-branch.yml

@@ -1,5 +1,12 @@
 name: Create a release branch
 on: [workflow_dispatch]
+
+# The actions-create-release-branch step uses secrets.ELEVATED_GITHUB_TOKEN
+# to push the release branch; the default GITHUB_TOKEN only needs read
+# access for the checkout.
+permissions:
+  contents: read
+
 jobs:
   create-branch:
     runs-on: ubuntu-latest