Backport workflow-hardening fix (excessive-permissions) to `11.2.x`

[CharlieMCY]

Summary

The default branch already hardened .github/workflows/lock-closed.yml against the issue(s) below, but the release branch 11.2.x still carries it. This proposes the same, minimal fix for that branch.

Affected branch / file

• branch: 11.2.x (HEAD 577bee32)
• file: .github/workflows/lock-closed.yml

What's flagged (by zizmor)

• excessive-permissions — workflow/job granted broader permissions than needed

These are already resolved on the default branch in b8c8cc4 but the fix was not backported to 11.2.x.

Suggested fix

Concretely:

• • permissions.contents = 'read'

--- a/.github/workflows/lock-closed.yml
+++ b/.github/workflows/lock-closed.yml
@@ -12,3 +12,5 @@
       - uses: angular/dev-infra/github-actions/lock-closed@4f335a4c1f01f20bf905acee2d68c7248f50f2a0
         with:
           lock-bot-key: ${{ secrets.LOCK_BOT_PRIVATE_KEY }}
+permissions:
+  contents: read

(Whitespace is normalized in the diff above; only the security-relevant lines change.) This patch was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced.

---

This issue was prepared by an automated workflow-hardening analysis and double-checked against the two scanners above. Please review before merging — happy to send a pull request instead if that's preferred.

[alan-agius4]

This branch is no longer in used.