Grant contents: write to docs deploy job to fix gh-pages 403

[ChrisRackauckas-Claude]

Problem

The Documentation / Build and Deploy Documentation check has failed on every push to main since the migration to the centralized SciML reusable workflows (2026-06-02). The docs build fine; only the deploy step fails:

remote: Permission to SciML/LightweightStats.jl.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/SciML/LightweightStats.jl.git/': The requested URL returned error: 403
ERROR: failed process: Process(`git push -q upstream HEAD:gh-pages`) ... ProcessExited(128)

(PR-event docs runs pass because they only build, never deploy — which is why only the push-to-main runs are red.)

Root cause

The centralized reusable workflow SciML/.github/.github/workflows/documentation.yml@v1 deploys via GITHUB_TOKEN || DOCUMENTER_KEY and declares no permissions: block, so its GITHUB_TOKEN inherits the caller's permissions. The caller Documentation.yml also declared none, so the token defaulted to read-only (Contents: read, confirmed in the job log). This repo has no DOCUMENTER_KEY secret configured (actions/secrets returns total_count: 0), so deployment must rely on the GITHUB_TOKEN — but a read-only token can't push to gh-pages, hence the 403.

Before the centralized-workflow migration, the repo's own CI.yml docs job granted:

permissions:
  contents: write
  statuses: write
  pages: write
  id-token: write

and deployed successfully (last good gh-pages build: 2026-05-30). The migration dropped those permissions.

Fix

Restore contents: write (plus statuses: write for commit-status updates) at the caller job level. Per GitHub Actions semantics, because the reusable workflow has no permissions: block, these caller job-level permissions propagate to the reusable workflow's GITHUB_TOKEN, giving deploydocs the push access it needs.

This is the minimal change that restores the exact write permission the working pre-migration workflow had. (Alternatively an admin could configure a DOCUMENTER_KEY SSH deploy key, like other SciML repos — but that requires admin access and a repo secret; this PR is the PR-fixable path.)

Verification

Workflow-only change, no .jl files (Runic N/A). Verified locally: YAML parses cleanly; the permissions block is correctly placed at the jobs.documentation level; and the reusable workflow has no permissions: block, so the caller's permissions are inherited. The deploy step only runs on push/workflow_dispatch to main (not on PR events), so the actual gh-pages push will be exercised once this lands on main.

Please ignore until reviewed by @ChrisRackauckas.

[ChrisRackauckas-Claude]

Superseded by SciML/.github#102, which sets permissions: contents: write in the centralized documentation.yml reusable — so this per-repo permissions block is no longer needed once v1 is retagged. Closing in favor of the central fix.