fix: complete GitHub workflow security hardening and deployment fixes

Security Improvements:
- Remove all workflow-level permissions from 16 workflow files
- Implement job-level least privilege permissions throughout
- Add security documentation comments to all workflows
- Fix GitHub Pages deployment to use GH_PAT_TOKEN with GITHUB_TOKEN fallback

Deployment Fixes:
- Update fortress-coverage.yml to prefer GH_PAT_TOKEN for git operations
- Maintain backward compatibility with GITHUB_TOKEN
- Fix 403 permission errors in GitHub Pages deployment

Files Modified:
- All fortress-*.yml workflows: Remove workflow-level permissions
- auto-merge-on-approval.yml: Security hardening
- dependabot-auto-merge.yml: Security hardening
- pull-request-management.yml: Security hardening
- scorecard.yml: Security hardening
- stale-check.yml: Security hardening
- sync-labels.yml: Security hardening
- update-pre-commit-hooks.yml: Security hardening
- codeql-analysis.yml: Security hardening
- ossar.yml: Security hardening

This addresses all 14 OpenSSF Scorecard token permission alerts while
maintaining full CI/CD functionality and improving GitHub Pages deployment.

Author: mrz1836

.github/coverage/cmd/gofortress-coverage/cmd/complete.go

@@ -24,6 +24,9 @@ import (
 // ErrCoverageBelowThreshold indicates that coverage percentage is below the configured threshold
 var ErrCoverageBelowThreshold = errors.New("coverage is below threshold")
 
+// ErrEmptyIndexHTML indicates that the generated index.html file is empty
+var ErrEmptyIndexHTML = errors.New("generated index.html is empty")
+
 var completeCmd = &cobra.Command{ //nolint:gochecknoglobals // CLI command
 	Use:   "complete",
 	Short: "Run complete coverage pipeline",
@@ -278,7 +281,7 @@ update history, and create GitHub PR comment if in PR context.`,
 
 				if len(indexContent) == 0 {
 					cmd.Printf("   ❌ index.html is empty, cannot create dashboard.html\n")
-					return fmt.Errorf("generated index.html is empty")
+					return ErrEmptyIndexHTML
 				}
 
 				if writeErr := os.WriteFile(dashboardPath, indexContent, cfg.Storage.FileMode); writeErr != nil {
@@ -287,12 +290,12 @@ update history, and create GitHub PR comment if in PR context.`,
 				}
 
 				// Verify dashboard.html was created successfully
-				if dashboardStat, statErr := os.Stat(dashboardPath); statErr != nil {
+				dashboardStat, statErr := os.Stat(dashboardPath)
+				if statErr != nil {
 					cmd.Printf("   ❌ dashboard.html was not created successfully: %v\n", statErr)
 					return fmt.Errorf("dashboard.html creation verification failed: %w", statErr)
-				} else {
-					cmd.Printf("   ✅ Dashboard also saved as: %s (%d bytes)\n", dashboardPath, dashboardStat.Size())
 				}
+				cmd.Printf("   ✅ Dashboard also saved as: %s (%d bytes)\n", dashboardPath, dashboardStat.Size())
 
 				// Also save coverage data as JSON for pages deployment
 				dataPath := filepath.Join(outputDir, "coverage-data.json")

.github/coverage/internal/config/config.go

@@ -264,17 +264,65 @@ func (c *Config) GetBadgeURL() string {
 	if c.GitHub.Owner == "" || c.GitHub.Repository == "" {
 		return ""
 	}
-	return fmt.Sprintf("https://raw.githubusercontent.com/%s/%s/main/%s/%s",
-		c.GitHub.Owner, c.GitHub.Repository, c.Storage.BaseDir, c.Badge.OutputFile)
+
+	// Use GitHub Pages URL structure
+	baseURL := fmt.Sprintf("https://%s.github.io/%s", c.GitHub.Owner, c.GitHub.Repository)
+
+	// If in PR context, return PR-specific badge URL
+	if c.IsPullRequestContext() {
+		return fmt.Sprintf("%s/badges/pr/%d/coverage.svg", baseURL, c.GitHub.PullRequest)
+	}
+
+	// For branch-specific badges, get current branch (default to master)
+	branch := c.getCurrentBranch()
+	if branch == "master" || branch == "main" {
+		// Main branch badge at root badges directory
+		return fmt.Sprintf("%s/badges/coverage.svg", baseURL)
+	}
+
+	// Branch-specific badge
+	return fmt.Sprintf("%s/badges/%s/coverage.svg", baseURL, branch)
 }
 
 // GetReportURL returns the URL for the coverage report
 func (c *Config) GetReportURL() string {
 	if c.GitHub.Owner == "" || c.GitHub.Repository == "" {
 		return ""
 	}
-	return fmt.Sprintf("https://raw.githubusercontent.com/%s/%s/main/%s/%s",
-		c.GitHub.Owner, c.GitHub.Repository, c.Storage.BaseDir, c.Report.OutputFile)
+
+	// Use GitHub Pages URL structure
+	baseURL := fmt.Sprintf("https://%s.github.io/%s", c.GitHub.Owner, c.GitHub.Repository)
+
+	// If in PR context, return PR-specific report URL
+	if c.IsPullRequestContext() {
+		return fmt.Sprintf("%s/reports/pr/%d/coverage.html", baseURL, c.GitHub.PullRequest)
+	}
+
+	// For branch-specific reports, get current branch (default to master)
+	branch := c.getCurrentBranch()
+	if branch == "master" || branch == "main" {
+		// Main branch report at root coverage directory
+		return fmt.Sprintf("%s/coverage/", baseURL)
+	}
+
+	// Branch-specific report
+	return fmt.Sprintf("%s/reports/branch/%s/coverage.html", baseURL, branch)
+}
+
+// getCurrentBranch returns the current branch name, defaulting to master
+func (c *Config) getCurrentBranch() string {
+	// Try to get branch from environment variables (GitHub Actions context)
+	if branch := os.Getenv("GITHUB_REF_NAME"); branch != "" {
+		return branch
+	}
+	if ref := os.Getenv("GITHUB_REF"); ref != "" {
+		// Extract branch name from refs/heads/branch-name
+		if strings.HasPrefix(ref, "refs/heads/") {
+			return strings.TrimPrefix(ref, "refs/heads/")
+		}
+	}
+	// Default to master (this repo's default branch)
+	return "master"
 }
 
 // Helper functions for environment variable parsing

.github/workflows/auto-merge-on-approval.yml

@@ -34,12 +34,7 @@ on:
   pull_request:
     types: [ready_for_review, review_request_removed]
 
-# ————————————————————————————————————————————————————————————————
-# Permissions
-# ————————————————————————————————————————————————————————————————
-permissions:
-  contents: read
-  pull-requests: read
+# Security: Job-level permissions are set per job for least privilege access
 
 # ————————————————————————————————————————————————————————————————
 # Concurrency Control

.github/workflows/codeql-analysis.yml

@@ -18,8 +18,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+# Security: Job-level permissions are set per job for least privilege access
 
 jobs:
   analyze:

.github/workflows/dependabot-auto-merge.yml

@@ -30,12 +30,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
 
-# ————————————————————————————————————————————————————————————————
-# Permissions
-# ————————————————————————————————————————————————————————————————
-permissions:
-  contents: read
-  pull-requests: read
+# Security: Job-level permissions are set per job for least privilege access
 
 # ————————————————————————————————————————————————————————————————
 # Concurrency Control

.github/workflows/fortress-benchmarks.yml

@@ -38,8 +38,7 @@ on:
         description: "GitHub token for API access"
         required: true
 
-permissions:
-  contents: read
+# Security: Job-level permissions are set per job for least privilege access
 
 jobs:
   # ----------------------------------------------------------------------------------

.github/workflows/fortress-code-quality.yml

@@ -49,8 +49,7 @@ on:
         description: "GitHub token for API access"
         required: true
 
-permissions:
-  contents: read
+# Security: Job-level permissions are set per job for least privilege access
 
 jobs:
   # ----------------------------------------------------------------------------------

.github/workflows/fortress-coverage.yml

@@ -314,7 +314,7 @@ jobs:
       - name: 💬 Create PR comment
         if: inputs.pr-number != ''
         env:
-          GITHUB_TOKEN: ${{ secrets.github-token }}
+          GITHUB_TOKEN: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.github-token }}
         working-directory: .github/coverage/cmd/gofortress-coverage
         run: |
           echo "💬 Creating PR comment for PR #${{ inputs.pr-number }}..."
@@ -436,7 +436,7 @@ jobs:
       - name: 🚀 Deploy to GitHub Pages
         if: github.event_name == 'push' || github.event_name == 'pull_request'
         env:
-          GITHUB_TOKEN: ${{ secrets.github-token }}
+          GITHUB_TOKEN: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.github-token }}
         working-directory: .github/coverage/cmd/gofortress-coverage
         run: |
           echo "🚀 Deploying coverage to GitHub Pages..."
@@ -490,7 +490,7 @@ jobs:
       # ————————————————————————————————————————————————————————————————
       - name: 📋 Set coverage status
         env:
-          GITHUB_TOKEN: ${{ secrets.github-token }}
+          GITHUB_TOKEN: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.github-token }}
         working-directory: .github/coverage/cmd/gofortress-coverage
         run: |
           echo "📋 Setting coverage status check..."

.github/workflows/fortress-performance-summary.yml

@@ -69,8 +69,7 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
+# Security: Job-level permissions are set per job for least privilege access
 
 jobs:
   # ----------------------------------------------------------------------------------

.github/workflows/fortress-release.yml

@@ -40,11 +40,7 @@ on:
         description: "Slack webhook URL for notifications"
         required: false
 
-# ————————————————————————————————————————————————————————————————
-# Permissions
-# ————————————————————————————————————————————————————————————————
-permissions:
-  contents: read
+# Security: Job-level permissions are set per job for least privilege access
 
 jobs:
   # ----------------------------------------------------------------------------------