Add explicit permissions blocks, remove excessive-permissions ignores

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/ci.yml

@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     uses: smallstep/workflows/.github/workflows/goCI.yml@main

.github/workflows/code-scan-cron.yml

@@ -2,6 +2,11 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   code-scan:
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main

.github/workflows/release.yml

@@ -6,13 +6,20 @@ on:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: write
+
 jobs:
   ci:
+    permissions:
+      contents: read
     uses: smallstep/certificates/.github/workflows/ci.yml@master
     secrets: inherit
 
   create_release:
     name: Create Release
+    permissions:
+      contents: write
     needs: ci
     runs-on: ubuntu-latest
     env:

.github/zizmor.yml

@@ -29,16 +29,6 @@ rules:
       - release.yml:91
       - triage.yml:19
       - zizmor.yml:15
-  # These workflows either lack a top-level `permissions:` block
-  # (using GitHub defaults) or delegate to reusable workflows that
-  # declare their own minimal permissions internally.
-  excessive-permissions:
-    ignore:
-      - ci.yml:20
-      - code-scan-cron.yml:6
-      - release.yml:1
-      - release.yml:10
-      - release.yml:14
   # The triage workflow uses `pull_request_target` to label PRs
   # from forks. This is safe because the called reusable workflow
   # does not checkout or execute code from the PR.