ci: add explicit permissions to GitHub Actions workflows

[sai-ray]

Description of changes

This PR adds explicit permissions blocks to GitHub Actions workflows to comply with the upcoming security change on February 2nd, 2026, when the default GitHub token permission will change from "Read and Write" to "Read repository contents and packages permissions."

Changes:

1. closed-issue-message.yml

permissions:
  issues: write

• Needed to post a comment on closed issues via the aws-actions/closed-issue-message action.

Without explicit permissions, this workflow will break when the repo default changes to read-only. This follows the principle of least privilege by only granting the permissions the workflow actually needs.

CDK / CloudFormation Parameters Changed

Issue #, if available

Description of how you validated changes

Checklist

• PR description included
• yarn test passes
• E2E test run linked
• Tests are changed or added
• Relevant documentation is changed or added (and PR referenced)
• New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
• Any CDK or CloudFormation parameter changes are called out explicitly

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.