Pin ci.yml GITHUB_TOKEN to read-only permissions

[johncarmack1984]

Summary

Adds a top-level permissions: contents: read block to ci.yml, resolving all three open code-scanning alerts (actions/missing-workflow-permissions, CodeQL, medium severity) — one per CI job (web, rust, cdk).

The CI workflow had no permissions: block, so its GITHUB_TOKEN inherited the repository default rather than least-privilege. All three jobs only read the repo — checkout, install, build, lint, test, git diff, and an AWS-free cdk synth — so read-only contents is sufficient. This also brings ci.yml in line with the other workflows (deploy.yml, auto-release.yml, release.yml), which each already declare an explicit, scoped permissions block.

Fixes the alerts at https://github.com/johncarmack1984/stormdeck/security/code-scanning.

Docs & attribution

Merging deploys, so stale docs ship to production. Tick every box (or the N/A).

• README updated if this changed data sources, behavior, costs, or architecture (intro, the mermaid diagram, and the What it costs / Configuration tables).
• On-map attribution (web/src/App.tsx and web/src/basemap.ts) updated if a tile/data source was added, removed, or swapped.
• Every new external source is credited in both the on-map attribution and the README Attribution section — free/open data still carries license terms (an uncredited source is a licensing bug, not just a doc gap).
• N/A — no data sources, user-facing behavior, costs, or architecture changed.