ci: declare empty permissions on hf-xet prerelease testing workflow (#843)

The `hf-xet prerelease testing` workflow currently doesn't declare a
`permissions:` block, so the workflow `GITHUB_TOKEN` falls back to the
repository default. Every step in `trigger_rc_testing` authenticates via
`TOKEN_HUGGINGFACE_HUB_AUTO_BY_XET` (a PAT scoped for the hf-hub
auto-update flow):

- the `actions/checkout` step pulls `huggingface/${{ matrix.target-repo
}}` with `token: ${{ secrets.TOKEN_HUGGINGFACE_HUB_AUTO_BY_XET }}`
- `git push` reuses the credentials persisted by checkout

So the workflow's own `GITHUB_TOKEN` is unused. `permissions: {}`
(workflow scope) pins that.

Pattern matches the workflow-level permissions blocks already used in
this repo. With it set:

- the workflow token can't be widened by a future change to the repo
default
- the SLSA / OpenSSF Scorecard `Token-Permissions` check passes for this
file
- a hypothetical compromise of any third-party action reachable from
this workflow (cf. `tj-actions/changed-files` CVE-2025-30066) has
nothing to do with the workflow token

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

.github/workflows/pre-release-testing.yml

@@ -10,6 +10,9 @@ on:
       tag:
         description: "Tag to test (e.g., v1.0.3-rc2)"
         required: true
+
+permissions: {}
+
 jobs:
   trigger_rc_testing:
     runs-on: ubuntu-latest