ci: apply least-privilege permissions to all workflows (#578)

* ci: apply least-privilege permissions to all workflows

Move write permissions from workflow-level to job-level to satisfy
OpenSSF Scorecard Token-Permissions check. This follows the principle
of least privilege - workflows default to read-all, and only specific
jobs that need write access declare it.

Changed workflows:
- claude.yml: id-token: write moved to job level
- claude-code-review.yml: consistent read-all at workflow level
- codeql.yml: security-events: write moved to job level
- labeler.yml: pull-requests: write moved to job level
- pr-tests.yml: pull-requests: write, statuses: write moved to job level
- release.yml: contents: write already at job level, workflow to read-all
- stale.yml: issues: write, pull-requests: write moved to job level
- unity-tests.yml: checks: write moved to job level

Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com>
Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>

* revert: keep claude-code-review.yml unchanged to pass workflow validation

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>

* revert: restore pr-tests.yml and unity-tests.yml to master

GitHub Actions doesn't allow job-level permissions to exceed
workflow-level permissions. These workflows need write permissions
at workflow level because multiple jobs require them.

Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com>
Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>

* fix(ci): ensure Unity Tests status is created for all scenarios

- Rename skip-tests job to 'Skip Unity Tests' for clarity
- Add commit status creation when tests are skipped
- Both run and skip scenarios now create 'Unity Tests' status

This ensures the required status check works regardless of whether
tests actually run or are skipped due to no relevant changes.

Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com>
Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>

---------

Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com>
Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>

Author: JasonXuDeveloper

.github/workflows/claude.yml

@@ -10,11 +10,7 @@ on:
   pull_request_review:
     types: [submitted]
 
-permissions:
-  contents: read
-  pull-requests: read
-  issues: read
-  id-token: write
+permissions: read-all
 
 jobs:
   claude:

.github/workflows/codeql.yml

@@ -13,14 +13,14 @@ on:
     - cron: '0 0 * * 0'
   workflow_dispatch:
 
-permissions:
-  contents: read
-  security-events: write
+permissions: read-all
 
 jobs:
   changes:
     name: Detect Changes
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     # Only run path detection for push/pull_request events
     if: github.event_name == 'push' || github.event_name == 'pull_request'
     outputs:

.github/workflows/labeler.yml

@@ -4,13 +4,14 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened]
 
-permissions:
-  contents: read
-  pull-requests: write
+permissions: read-all
 
 jobs:
   label:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Apply labels based on changed files
         uses: actions/labeler@v5

.github/workflows/pr-tests.yml

@@ -46,14 +46,30 @@ jobs:
     secrets: inherit
 
   skip-tests:
-    name: Run Unity Tests
+    name: Skip Unity Tests
     needs: changes
     if: needs.changes.outputs.should_test == 'false'
     runs-on: ubuntu-latest
+    permissions:
+      statuses: write
     steps:
       - name: Skip tests
         run: echo "No relevant changes detected, skipping tests"
 
+      - name: Set PR check status (skipped)
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.payload.pull_request.head.sha,
+              state: 'success',
+              target_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+              description: 'Skipped - no relevant changes',
+              context: 'Unity Tests'
+            });
+
   upload-coverage:
     name: Upload Coverage
     needs: [changes, run-tests]

.github/workflows/release.yml

@@ -26,8 +26,7 @@ on:
         required: false
         type: string
 
-permissions:
-  contents: write
+permissions: read-all
 
 jobs:
   validate:

.github/workflows/stale.yml

@@ -6,13 +6,14 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
-permissions:
-  issues: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Mark stale issues and PRs
         uses: actions/stale@v9