fix(ci): grant contents:write to deploy-dev for commit annotation

[KedoKudo]

What

One-job permissions fix in dev-conda-publish.yaml: the deploy-dev job now has permissions: contents: write.

Why

The #416 hardening set the workflow to contents: read top-level. On the first next push after that (the #417 dependabot merge, run 27433460512), the final Annotate commit step (peter-evans/commit-comment) failed with 403 Resource not accessible by integration — creating a commit comment requires contents: write.

Delivery impact: none. The GitLab trigger step succeeded before the annotation failed, so the dev deploy pipeline for the analysis cluster fired normally; only the cosmetic commit-comment annotation was lost.

The grant is scoped to the deploy-dev job only; dev-conda-build stays at the top-level contents: read.

Checked HyperCTui / CGC / NIS for the same pattern — no other repo uses commit-comment, so this is iBeatles-only.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 10.68%. Comparing base (ae9c18f) to head (e862d44).

Additional details and impacted files

@@           Coverage Diff           @@
##             next     #419   +/-   ##
=======================================
  Coverage   10.68%   10.68%           
=======================================
  Files         195      195           
  Lines       17827    17827           
  Branches     1829     1829           
=======================================
  Hits         1905     1905           
  Misses      15875    15875           
  Partials       47       47           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.