Harden GitHub workflow permissions

- Restrict release workflow defaults to read-only access
- Grant `id-token` only to the publish job
- Document safe handling for `pull_request_target` in PR size checks

Author: juliusmarminge

.github/workflows/pr-size.yml

@@ -124,6 +124,9 @@ jobs:
       group: pr-size-${{ github.event.pull_request.number }}
       cancel-in-progress: true
     steps:
+      # This pull_request_target job may fetch untrusted PR commits only as passive
+      # git data. Do not add dependency installs, build/test scripts, or cache
+      # actions here; use pull_request plus workflow_run for that pattern instead.
       - name: Checkout base repository
         uses: actions/checkout@v4
         with:

.github/workflows/release.yml

@@ -23,8 +23,8 @@ on:
         type: string
 
 permissions:
-  contents: write
-  id-token: write
+  contents: read
+  id-token: none
 
 jobs:
   check_changes:
@@ -420,6 +420,9 @@ jobs:
     if: ${{ !failure() && !cancelled() && needs.preflight.result == 'success' && needs.build.result == 'success' }}
     runs-on: ubuntu-24.04 # blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 10
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6