ci: apply least-privilege permissions to all workflows

Move write permissions from workflow-level to job-level to satisfy
OpenSSF Scorecard Token-Permissions check. This follows the principle
of least privilege - workflows default to read-all, and only specific
jobs that need write access declare it.

Changed workflows:
- claude.yml: id-token: write moved to job level
- claude-code-review.yml: consistent read-all at workflow level
- codeql.yml: security-events: write moved to job level
- labeler.yml: pull-requests: write moved to job level
- pr-tests.yml: pull-requests: write, statuses: write moved to job level
- release.yml: contents: write already at job level, workflow to read-all
- stale.yml: issues: write, pull-requests: write moved to job level
- unity-tests.yml: checks: write moved to job level

Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com>
Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>

Author: JasonXuDeveloper

.github/workflows/claude-code-review.yml

@@ -10,10 +10,7 @@ on:
     #   - "src/**/*.js"
     #   - "src/**/*.jsx"
 
-permissions:
-  contents: read
-  pull-requests: read
-  issues: read
+permissions: read-all
 
 jobs:
   claude-review:

.github/workflows/claude.yml

@@ -10,11 +10,7 @@ on:
   pull_request_review:
     types: [submitted]
 
-permissions:
-  contents: read
-  pull-requests: read
-  issues: read
-  id-token: write
+permissions: read-all
 
 jobs:
   claude:

.github/workflows/codeql.yml

@@ -13,14 +13,14 @@ on:
     - cron: '0 0 * * 0'
   workflow_dispatch:
 
-permissions:
-  contents: read
-  security-events: write
+permissions: read-all
 
 jobs:
   changes:
     name: Detect Changes
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     # Only run path detection for push/pull_request events
     if: github.event_name == 'push' || github.event_name == 'pull_request'
     outputs:

.github/workflows/labeler.yml

@@ -4,13 +4,14 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened]
 
-permissions:
-  contents: read
-  pull-requests: write
+permissions: read-all
 
 jobs:
   label:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Apply labels based on changed files
         uses: actions/labeler@v5

.github/workflows/pr-tests.yml

@@ -12,15 +12,14 @@ concurrency:
   group: pr-tests-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  pull-requests: write
-  statuses: write
+permissions: read-all
 
 jobs:
   changes:
     name: Detect Changes
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       should_test: ${{ steps.filter.outputs.src }}
     steps:

.github/workflows/release.yml

@@ -26,8 +26,7 @@ on:
         required: false
         type: string
 
-permissions:
-  contents: write
+permissions: read-all
 
 jobs:
   validate:

.github/workflows/stale.yml

@@ -6,13 +6,14 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
-permissions:
-  issues: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Mark stale issues and PRs
         uses: actions/stale@v9

.github/workflows/unity-tests.yml

@@ -23,9 +23,7 @@ on:
         description: 'Test results summary'
         value: ${{ jobs.test.outputs.results }}
 
-permissions:
-  contents: read
-  checks: write
+permissions: read-all
 
 jobs:
   test: