Tighten the permissions of the reusable workflows we export

[azazeal]

The reusable workflows under .github/workflows/ had a mix of permission issues. Some declared no permissions: block at all (actionlint.yml, frizbee.yml, goBuild.yml, goLint.yml, goTest.yml, govulncheck.yml, codeql-analysis.yml, zizmor.yml), so callers had to remember what to grant. Others over-granted (docker-buildx-push.yml had contents: write it never used; triage.yml granted pull-requests: write and issues: write to both of its jobs when only one needed anything; dependabot-auto-merge.yml kept contents: write and pull-requests: write left over from before it switched to a PAT). And the implicit "caller must also grant X" contract on the umbrella workflows wasn't documented anywhere.

To that end, this PR pins explicit minimum permissions on every reusable workflow, fixes over-grants on docker-buildx-push.yml, triage.yml, and dependabot-auto-merge.yml, wires security-events: write through goCI.yml's codeql call site, and adds NOTE comments documenting the caller-permission contract for the two cases where it can't be removed (actionci.yml's zizmor child, goCI.yml's codeql child).

The PR also includes a small unrelated .editorconfig tweak that respects the local tab-width setting.

Once this is merged, I'll make a pass over existing callers to amend accordingly.