[FIX][CHAOS] Fix CI for fork contributors and harden workflow permissions

[aymericDD]

What does this PR do?

• Adds new functionality
• Alters existing functionality
• Fixes a bug
• Improves documentation or testing

Please briefly describe your changes as well as the motivation behind them:

• External contributors submitting PRs from forks had CI failing because the Get Datadog credentials step requires an OIDC token that GitHub does not grant to fork PRs. This adds if: guards to skip that step for forks, || '' fallbacks on DATADOG_API_KEY (Make's ifdef treats empty as unset, so the optional JUnit upload is silently skipped), and gates the coverage upload on internal PRs only.
• Adds a top-level permissions: contents: read to restrict the default GITHUB_TOKEN scope across all jobs that previously inherited repository defaults.
• Scopes the concurrency group with github.repository to prevent a fork contributor from cancelling upstream runs by crafting a matching branch name.

Code Quality Checklist

• The documentation is up to date.
• My code is sufficiently commented and passes continuous integration checks.
• I have signed my commit (see Contributing Docs).

Testing

• I leveraged continuous integration testing
  • by depending on existing unit tests or end-to-end tests.
  • by adding new unit tests or end-to-end tests.
• I manually tested the following steps:
  • Verified fork PRs skip credential steps and run tests without errors.
  • Verified internal PRs still upload JUnit reports and coverage to Datadog.
  • locally.
  • as a canary deployment to a cluster.

[datadog-official]

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 39.09% (+0.00%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: f60cbe8 | Docs | Datadog PR Page | Give us feedback!}