ci: replace write-all with least-privilege permissions in orchestrator workflows

[KrutikaPhirangi]

Which problem is this PR solving?

Fixes #8161.

The OpenSSF Scorecard Token-Permissions check flags the orchestrator workflows because:

• ci-orchestrator-stage1.yml, ci-orchestrator-stage2.yml, ci-orchestrator-stage3.yml — no top-level permissions: defined, so they inherit the default repository token scope.
• ci-orchestrator.yml — top-level permissions: write-all, granting the GITHUB_TOKEN the maximum set of privileges.

Both violate the principle of least privilege.

Description of the changes

• ci-orchestrator.yml — replaced workflow-level permissions: write-all with permissions: contents: read. Added per-job permissions: blocks on every stage caller (stage{1,2,3}-{seq,fast}) granting only the scopes that stage needs.
• ci-orchestrator-stage1.yml — added permissions: contents: read.
• ci-orchestrator-stage2.yml — added permissions: contents: read and checks: write (for unit-test reporters).
• ci-orchestrator-stage3.yml — added permissions: contents: read, packages: read, security-events: write (CodeQL), actions: read (dependency-review / docker / e2e jobs).

Why permissions are declared on both the calling job and the called workflow

Per GitHub's reusable-workflow permissions rules, the effective permissions of a called workflow are the intersection of (calling job's permissions:) and (called workflow's permissions:). Both sides must grant a scope for it to apply.

Declaring on the called workflow as well keeps each stage correct if invoked directly by a different caller in the future, and gives a single point of truth for what each stage needs.

How was this change tested?

• actionlint clean on all four files locally.
• Permission scopes derived from the child workflows actually invoked by each stage (CodeQL → security-events: write, docker/e2e → packages: read + actions: read, unit tests → checks: write).
• Will rely on this PR's CI run as the integration test — any missing scope will surface as a job failure here.

Checklist

• I have read https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md
• I have signed all commits
• I have added unit tests for the new functionality — N/A, CI workflow change
• I have run lint and test steps locally — actionlint clean

[Copilot]

Pull request overview

This PR tightens GitHub Actions GITHUB_TOKEN permissions for the CI orchestrator and its reusable stage workflows to satisfy OpenSSF Scorecard’s Token-Permissions check and better follow least-privilege.

Changes:

• Replaces permissions: write-all in ci-orchestrator.yml with a minimal default (contents: read) and adds job-level permissions for stage callers.
• Adds explicit top-level permissions: blocks to ci-orchestrator-stage{1,2,3}.yml to ensure correct permissions when invoked directly.
• Grants stage-specific scopes (e.g., checks: write, security-events: write, packages: read, actions: read) where required by downstream reusable workflows.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/ci-orchestrator.yml	Drops workflow-wide write-all in favor of least-privilege and adds per-stage job permissions.
.github/workflows/ci-orchestrator-stage1.yml	Adds explicit stage-level permissions (contents: read).
.github/workflows/ci-orchestrator-stage2.yml	Adds stage-level permissions including checks: write for unit-test reporting.
.github/workflows/ci-orchestrator-stage3.yml	Adds stage-level permissions for CodeQL, Docker/E2E, and dependency review needs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.53%. Comparing base (486ea50) to head (ca40355).
⚠️ Report is 22 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8569      +/-   ##
==========================================
+ Coverage   96.52%   96.53%   +0.01%     
==========================================
  Files         330      330              
  Lines       17356    17356              
==========================================
+ Hits        16753    16755       +2     
+ Misses        454      453       -1     
+ Partials      149      148       -1     

Flag	Coverage Δ
badger_direct	8.95% <ø> (ø)
badger_e2e	1.04% <ø> (ø)
cassandra-4.x-direct-manual	14.56% <ø> (ø)
cassandra-4.x-e2e-auto	1.03% <ø> (ø)
cassandra-4.x-e2e-manual	1.03% <ø> (ø)
cassandra-5.x-direct-manual	14.56% <ø> (ø)
cassandra-5.x-e2e-auto	1.03% <ø> (ø)
cassandra-5.x-e2e-manual	1.03% <ø> (ø)
clickhouse-direct	8.98% <ø> (ø)
clickhouse-e2e	1.16% <ø> (ø)
elasticsearch-6.x-direct	16.89% <ø> (ø)
elasticsearch-7.x-direct	16.92% <ø> (ø)
elasticsearch-8.x-direct	17.07% <ø> (ø)
elasticsearch-8.x-e2e	1.09% <ø> (+0.04%)	⬆️
elasticsearch-9.x-e2e	1.04% <ø> (ø)
grpc_direct	7.89% <ø> (ø)
grpc_e2e	?
kafka-3.x-v2	1.04% <ø> (ø)
memory_v2	1.04% <ø> (ø)
opensearch-1.x-direct	16.96% <ø> (ø)
opensearch-2.x-direct	16.96% <ø> (ø)
opensearch-2.x-e2e	1.04% <ø> (ø)
opensearch-3.x-e2e	1.04% <ø> (ø)
query	1.04% <ø> (ø)
tailsampling-processor	0.53% <ø> (ø)
unittests	94.82% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.