fix: move write permissions from workflow-level to job-level

OpenSSF Scorecard Token-Permissions check flags top-level write
permissions as overly broad. Move write grants to the specific
jobs that need them, keeping workflow-level at contents: read.

Fixes Scorecard alerts #2, #3, #4, #5, #12.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/backport.yaml

@@ -5,12 +5,14 @@ on:
     types: [closed]
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   backport:
     name: Backport
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }}
     timeout-minutes: 10
     if: >

.github/workflows/dependabot-auto-merge.yaml

@@ -4,8 +4,7 @@ on:
   pull_request_target:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 concurrency:
   group: dependabot-auto-merge-${{ github.event.pull_request.number }}
@@ -14,6 +13,9 @@ concurrency:
 jobs:
   auto-merge:
     name: Auto-merge Dependabot PRs
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     timeout-minutes: 5
     if: github.actor == 'dependabot[bot]'

.github/workflows/release.yaml

@@ -10,10 +10,7 @@ concurrency:
   cancel-in-progress: false
 
 permissions:
-  actions: read     # For SLSA provenance
-  contents: write
-  packages: write
-  id-token: write   # For cosign keyless signing
+  contents: read
 
 env:
   GO_VERSION: "1.26"
@@ -26,6 +23,10 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
       digest: ${{ steps.build.outputs.digest }}
@@ -131,6 +132,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     needs: [release]
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
       - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:

.github/workflows/security.yaml

@@ -11,8 +11,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: read
-  security-events: write
 
 concurrency:
   group: security-${{ github.ref }}
@@ -21,6 +19,9 @@ concurrency:
 jobs:
   codeql:
     name: CodeQL
+    permissions:
+      contents: read
+      security-events: write
     runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }}
     timeout-minutes: 15
     steps: