chore: declare minimum scope on pr-metadata-check workflow

[arpitjain099]

pr-metadata-check.yml runs on pull_request_target and uses gh pr view --json assignees,labels,milestone to enforce PR hygiene. It only reads PR metadata, no checkout. Adding contents: read (for the implicit checkout if it gets re-added later) plus pull-requests: read (for the gh pr view call) caps the otherwise-inherited token scope on pull_request_target.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[rwgk]

I asked Cursor GPT-5.4 Extra High Fast if read (in general) is sufficient. After fetching a bunch of GHA API documentation, it came back with a "yes", but it isn't sure if the contents: read is actually required.

@arpitjain099: since this workflow only reads PR metadata via gh pr view and does not check out code, do you know whether pull-requests: read alone is sufficient, or whether contents: read is also required?

[arpitjain099]

Good question. The workflow only calls gh pr view, which goes through the REST API and doesn't touch repo contents, so pull-requests: read alone is sufficient. I left contents: read in as future-proofing in case a checkout step ever gets added, but happy to drop it for the minimum scope if you prefer. Either works for the CVE-2025-30066 hardening intent.