Add minimum token permissions for all GitHub workflow files

[Copilot]

After thorough analysis of all GitHub workflow files in the repository, I found that the repository already complies with the OpenSSF Scorecard Token-Permissions requirements. All workflow files have proper minimum token permissions configured.

Analysis Summary

✅ Root-Level Permissions (Step 1) - Already Compliant

All 20 workflow files have appropriate root-level permissions:

• 19 files use permissions: followed by contents: read
• 1 file (ossf-scorecard.yml) uses permissions: read-all which is acceptable

✅ Job-Level Permissions (Step 2) - Already Compliant

Jobs requiring write permissions already have them properly configured with explanatory comments:

• assign-reviewers.yml: pull-requests: write # for assigning reviewers
• auto-spotless-apply.yml: contents: write and pull-requests: write
• backport.yml: contents: write # for Git to git push
• prepare-patch-release.yml: contents: write # for Git to git push
• prepare-release-branch.yml: contents: write # for Git to git push
• release.yml: contents: write # for creating the release and contents: write # for git push to PR branch
• issue-management-*.yml: Appropriate issues: write and pull-requests: write permissions
• reusable-workflow-notification.yml: issues: write

✅ Local Reusable Workflow Jobs (Step 3) - Already Compliant

Jobs calling local reusable workflows have appropriate permissions:

• build.yml: 4 jobs call reusable workflows that only need read permissions
• owasp-dependency-check-daily.yml: Job has proper permissions for calling reusable-workflow-notification.yml

Conclusion

No changes were required as the repository already follows security best practices for GitHub Actions token permissions. All workflows use the principle of least privilege with minimal required permissions properly documented.

Fixes #85.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.