fix(ci): set explicit workflow permissions for Scorecard compliance

- pr-tests.yml: Set explicit permissions at workflow level, jobs restrict further
- unity-tests.yml: Set explicit permissions for reusable workflow

Using read-all at workflow level prevents jobs from getting write permissions.
Instead, set maximum needed permissions at workflow level and let jobs restrict.

Signed-off-by: JasonXuDeveloper <jasonxudeveloper@gmail.com>
Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>

Author: JasonXuDeveloper

.github/workflows/pr-tests.yml

@@ -12,15 +12,20 @@ concurrency:
   group: pr-tests-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+# Workflow-level permissions set to maximum needed by any job
+# Individual jobs further restrict to only what they need
 permissions:
   contents: read
-  pull-requests: write
+  checks: write
   statuses: write
+  pull-requests: write
 
 jobs:
   changes:
     name: Detect Changes
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       should_test: ${{ steps.filter.outputs.src }}
     steps:
@@ -75,6 +80,8 @@ jobs:
     needs: [changes, run-tests]
     runs-on: ubuntu-latest
     if: needs.changes.outputs.should_test == 'true' && needs.run-tests.result == 'success'
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/unity-tests.yml

@@ -23,6 +23,7 @@ on:
         description: 'Test results summary'
         value: ${{ jobs.test.outputs.results }}
 
+# Workflow-level permissions for reusable workflow
 permissions:
   contents: read
   checks: write