ci: security review — add PR test trigger, explicit permissions on all jobs

- test.yml: add pull_request trigger (safe — permissions: {}, no secrets
  referenced; pull_request event from forks gets no secrets and read-only token)
- stale.yml: add explicit permissions (issues: write, pull-requests: write)
  instead of relying on potentially over-broad repo defaults
- docker-build-pr.yml: add actions: write permission required for GHA
  cache writes (cache-to: type=gha)

Remaining known limitation: actions are pinned to tags (@v3/@v6) rather
than SHAs — moving a tag upstream would run arbitrary code. Low risk for
official Docker/GitHub actions but worth noting.

ci: remove cache-to from PR build, drop actions: write permission

PR builds read from the GHA cache (warmed by main branch pushes) but
don't write back. This avoids needing actions: write on a job that runs
untrusted PR code.

ci: restrict test job permissions to zero

Zero out GITHUB_TOKEN permissions and remove the non-existent
ACTIONS_RUNNER_NO_SECRETS variable. No repo secrets are referenced
in this workflow, so the test runner has no credentials available.
The workflow only triggers on push to protected branches (not PRs),
so code is reviewed before it runs.

ci: add test workflow to run unit/integration tests on push

Runs `npm test` (Vitest unit + integration tests) on every push to
main and develop. E2E tests are excluded as they require a full
Docker Compose stack.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/stale.yml

@@ -7,6 +7,9 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v10
         with: